PingFederate Server

Configuring IdP connection grant mapping

Use this configuration to map values obtained from the single sign-on (SSO) tokens into the persistent grants. Persistent grants remain valid until the grant expires or is explicitly revoked.

About this task

The USER_KEY attribute is the identifier of the persistent grants.

The USER_NAME attribute presents the name shown to the resource owner on OAuth user-facing pages.

If extended attributes are defined in System → OAuth Settings → Authorization Server Settings, configure a mapping for each attribute.

You can optionally set up datastore queries to supplement values returned from the source.

This mapping configuration is suitable for the Authorization Code and Implicit grant types.

Steps

  1. Go to Authentication → Integration → IdP Connections and select an existing identity provider (IdP) connection or click Create Connection.

  2. On the Connection Type tab, select the Browser SSO Profiles check box and the applicable protocol.

  3. On the Connection Options window, select the Browser SSO check box and then select the OAuth Attribute Mapping check box.

    You can also select other options on the Connection Type and Connection Options tabs. If you do, you will be prompted to complete the required configuration. For simplicity, this topic only focuses on the OAuth Attribute Mapping configuration.

  4. On the General Info tab, enter the required information.

  5. On the Browser SSO tab, click Configure Browser SSO and follow the steps to complete the User-Session Creation tab.

  6. On the OAuth Attribute Mapping tab, select the Map directly into Persistent Grant option, and then click Configure OAuth Attribute Mapping to continue.

    Alternatively, if you have mapped an authentication policy contract (APC) in User-Session Creation → Target Session Mapping, you can select the Map to OAuth via Authentication Policy Contract option, and then select the applicable APC from the list.