PingFederate Server

Defining an attribute contract for the OAuth assertion grant

About this task

An attribute contract is a set of user attributes the IdP sends in the SAML assertions or JWTs for this connection. You identity these attributes on the OAuth Assertion Grant Attribute Mapping → Attribute Contract window.

TOKEN_SUBJECT represents the name identifier of the user for whom the access token is being requested, the SAML_SUBJECT attribute in SAML assertions and the sub claim in JWTs.

Optionally, you can mask the values of attributes (other than TOKEN_SUBJECT) in the log files that PingFederate writes when it receives security tokens.

Steps

  • To add an attribute, follow these steps:

    1. Enter the attribute name in the text box.

    Attribute names are case-sensitive and must correspond to the attribute names expected by your partner.

    1. Select the check box under Mask Values in Log.

    2. Click Add.

  • To modify an attribute name or masking selection, follow these steps:

    1. Click Edit under Action for the attribute.

    2. Make the change and click Update.

      If you change your mind, ensure that you click Cancel under Action.

  • To delete an attribute, click Delete under Action for the attribute.