Configuring identity hint contract
You can configure the identity hint contract, which contains the set of attributes received in the client initiated backchannel authentication (CIBA) request that identifies the user.
About this task
IDENTITY_HINT_SUBJECT
is a core attribute and is automatically populated by the sub
attribute of an identity hint token, if found, or the attribute value of the login_hint
request attribute.
A client can send an ID token, id_token_hint
, or a login hint token, login_hint_token
, as the identity hint token. If you extend the identity hint contract with attribute names from the identity token, PingFederate fulfills them with values found in the identity token.
As needed, all attributes can optionally be fulfilled differently on the Identity Hint Contract Fulfillment tab. |
Steps
-
Optional: Go to Applications → OAuth → CIBA Request Policies. On the Identity Hint Contract Fulfillment tab, enter an attribute name under Extend the Contract, and then click Add.
-
Repeat the previous step to define additional attributes. Click Next.
Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Click Delete to remove an entry.
Example
Example
Suppose the following JSON web token (JWT) matches the expected structure of the login hint tokens.
{
"sub": "asmith",
"attrs": {
"mail": "asmith@example.com",
"phone": "555-555-5555"
}
}
To add both the mail
and phone
attributes, extend the contract with login_hint_token.attrs.mail
and login_hint_token.attrs.phone
, respectively.