Configuring ID token fulfillment
Map attributes from the access token or other sources to fulfill the attribute contract.
Steps
-
Go to Applications → OAuth → OpenID Connect Policy Management and select your policy, or click Add Policy.
-
On the Contract Fulfillment tab, select a source from the Source list and then select or enter a value for each attribute in the contract.
Map the subject attribute and all extended attributes from one of the following sources:
- Context
-
Values are returned from the context of the transaction at runtime.To enter an expression, select Expression under Source, and then click Edit.
When modifying the personally identifiable information (PII) for hybrid flows, if the RequestEndpoint context value ends with a token endpoint path the actual value is populated and sent in the token response. If the field is blank, a null value is sent in the token response.
Because the HTTP Request context value is retrieved as a Java object rather than text, OGNL expressions are preferred to evaluate and return values.
If Expression is not available, you can enable it by editing the
org.sourceid.common.ExpressionManager.xml
file in the<pf_install>/pingfederate/server/default/data/config-store
directory. - Extended Client Metadata
-
Values are returned from the client record.
- LDAP/JDBC/Other
-
Values are returned from your datastore, if used. When selected, the Value list populates with attributes from the datastore.
- Expression
-
When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.
- No Mapping
-
This option ignores the Value field.
- Text
-
The value is what you enter. This can be text only, or you can mix text with references to the unique user ID returned from the credentials validator, using the
$attribute
syntax.You can also enter values from your datastore, when applicable, using the${ds.attribute}
syntax, whereattribute
is any of the datastore attributes you have selected.You can reference attribute values in the form of
${attributeName:-defaultValue}
. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use${
and}
in the default value. - Access Token
-
The value is provided from the access token.
- Persistent Grant
-
Enables direct mapping from the grant to the ID Token and to user information attributes.
-
Click Next.