PingFederate Server

Configuring access token fulfillment

On the Contract Fulfillment tab, map values into the token attribute contract to be included or referenced in the access token.

Steps

  1. Choose a source from the Source list, and then select a value from the Value list for each attribute in the contract, or enter your own.

    Map each attribute from one of the following sources:

    • Client Credentials, IdP Adapter, IdP Connection, Password Credential Validator, or Token Exchange Processor Policy

      Depending on the selections under Context in the Access Token Attribute Mapping tab, you can map attributes from that specific authentication system. Select the corresponding context under Source and the desired attribute under Value.

    • Persistent Grant

      When selected, the associated Value list is populated with the USER_KEY and extended attributes from the persistent access-token grant.

    • Context

      Values are returned from the context of the transaction at runtime.

      The HTTP Request context value is retrieved as a Java object rather than text. For this reason, OGNL expressions are preferred to evaluate and return values.

      Select Expression under Source, and then click Edit to enter an expression.

      include::ROOT:partial$pf_rc_authnmethodandprivatekeyjwtviahttprequestjavaobject.adoc[tags=pf_ph_authnMethodAndPrivateKeyJwtViaHttpRequestJavaObject]. For sample expressions, see Expressions for OAuth and OpenID Connect uses cases.

      If the Expression selection is not available, you can enable it by editing the org.sourceid.common.ExpressionManager.xml file in the <pf_install>/pingfederate/server/default/data/config-store directory.

    • Extended Client Metadata

      Values are returned from the client record.

    • LDAP/JDBC/Other

      Values are returned from your datastore, if used. When you make this selection, the Value list populates with attributes from the datastore.

    • Expression

      When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.

    • No Mapping

      This option ignores the Value field, causing no value selection to be necessary.

    • Text

      The value is what you enter. This can be text only, or you can mix text with references to the USER_KEY using the ${USER_KEY} syntax.

      When applicable, you can also enter values from your datastore using the $\{ds.attribute} syntax, where attribute is any of the datastore attributes you have selected.

    You can reference attribute values in the form of ${attributeName:-defaultValue}. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use ${ and } in the default value.

  2. Click Next.