PingFederate Server

Configuring ID token fulfillment

Map attributes from the access token or other sources to fulfill the attribute contract.

Steps

  1. Go to Applications → OAuth → OpenID Connect Policy Management and select your policy, or click Add Policy.

  2. On the Contract Fulfillment tab, select a source from the Source list and then select or enter a value for each attribute in the contract.

    Map the subject attribute and all extended attributes from one of the following sources:

    Context

    Values are returned from the context of the transaction at runtime.To enter an expression, select Expression under Source, and then click Edit.

    When modifying the personally identifiable information (PII) for hybrid flows, if the RequestEndpoint context value ends with a token endpoint path the actual value is populated and sent in the token response. If the field is blank, a null value is sent in the token response.

    Because the HTTP Request context value is retrieved as a Java object rather than text, OGNL expressions are preferred to evaluate and return values.

    If Expression is not available, you can enable it by editing the org.sourceid.common.ExpressionManager.xml file in the <pf_install>/pingfederate/server/default/data/config-store directory.
    Extended Client Metadata

    Values are returned from the client record.

    LDAP/JDBC/Other

    Values are returned from your datastore, if used. When selected, the Value list populates with attributes from the datastore.

    Expression

    When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.

    No Mapping

    This option ignores the Value field.

    Text

    The value is what you enter. This can be text only, or you can mix text with references to the unique user ID returned from the credentials validator, using the $attribute syntax.You can also enter values from your datastore, when applicable, using the ${ds.attribute} syntax, where attribute is any of the datastore attributes you have selected.

    You can reference attribute values in the form of ${attributeName:-defaultValue}. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use ${ and } in the default value.
    Access Token

    The value is provided from the access token.

    Persistent Grant

    Enables direct mapping from the grant to the ID Token and to user information attributes.

  3. Click Next.