Mapping attributes to a user account
Map incoming attributes to the account attributes on an LDAP server, the columns in a database table on a Microsoft SQL Server, or the parameters of a Microsoft SQL Server stored procedure.
About this task
In addition to values obtained from the single sign-on (SSO) token, you can map attributes from the context of the SSO token text, with or without reference values from the SSO token, and expression if enabled.
If you select a Microsoft SQL Server datastore on the User Repository tab, then on the Attribute Fulfillment tab you can test the insertion of attribute values into the database table or the stored procedure. When mapping to a database column of the datetime
or smalldatetime
data type, if you are not using a stored procedure to convert the incoming string value, you can use a PingFederate Java conversion method through OGNL expressions.
Steps
-
On the Attribute Fulfillment tab, select a source from the list for each target attribute or parameter.
Choose from:
-
Assertion or Provider Claims
Values are contained in the SSO token from this identity provider (IdP). When you select this, the associated Value list is populated by the attribute contract.
-
Context
Values are returned from the context of the transaction at runtime.
As the HTTP Request is retrieved as a Java object rather than text, OGNL expressions are more appropriate to evaluate and return values. Choose Expressionfrom the list and then click Edit to enter an expression.
-
Attribute Query
This choice appears only if you choose the Attribute Query profile for provisioning.
To map an attribute-query value, use the syntax
${query_attribute}
. You can combine attribute-query values with references to attributes in the attribute contract; for example,${query_attribute}+${attribute.
References to attributes not contained in the attribute contract result in an attribute query back to the IdP partner.
-
Expression
Enable OGNL expression by editing the
<pf_install>/pingfederate/server/default/data/config-store/org.sourceid.common.ExpressionManager.xml
file. Restart PingFederate after saving the change.For a clustered PingFederate environment, edit the
org.sourceid.common.ExpressionManager.xml
file on the console node, sign on to the administrative console to replicate this change to all engine nodes in the System → Server → Cluster Management window, and restart all nodes.This option provides more complex mapping capabilities, such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.
If you need to map multiple attribute values from one or multiple sources to one attribute value, use an OGNL expression to create it.
For database mapping, if the data type of a target parameter is
datetime
orsmalldatetime
, you can use an expression to convert date-time strings from the SSO token. After selecting Expression, click Datetime OGNL Examples for syntax information and examples. -
System Managed
This mapping option appears only when any automatically assigned attributes are among columns to be provisioned, such as an identity or a timestamp column on the Microsoft SQL Server.
-
Text
The value is what you enter. This can be text only, or you can mix text with references to any of the values from the SSO token, using the
${attribute}
syntax.You can reference attribute values in the form of
${attributeName:-defaultValue}
. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use${
and}
in the default value.
For LDAP mapping, choose Text as the Source for the
objectClass
attribute.For mapping into a database, if no entry is required for a column, you can leave the field blank. A blank entry results in an empty string in the database for string data types and null for all other data types. Alternatively, for string types, you can enter
null
in the field to explicitly setnull
in the column. -
-
Select or enter an attribute value.
All values must be mapped. For optional table columns, you can leave the field blank or, for string data types, enter
null
to avoid empty strings.No value is required for System Managed attributes.
For Active Directory, enter
user
in the objectClass field. For Oracle Directory Server or Oracle Unified Directory, enterinetOrgPerson
. -
Optional: When mapping to a Microsoft SQL Server datastore, test the insertion.
Choose from:
-
If testing from a table:
-
Click Test insert into <table>.
-
Enter values for each applicable target parameter.
-
Click Test Insert.
If the test succeeds, a confirmation displays along with the values inserted.
Unless you want to keep the test values in the database, click Roll Back All Test Inserts.
-
-
If testing from a stored procedure:
-
Click Test call to <procedure>.
-
Enter values for each applicable target parameter.
-
Click Test Stored Procedure Call.
For stored procedures, only a confirmation displays if the test is successful, indicating that the procedure was populated with parameter values.
No roll back feature is provided because PingFederate does not know the result of the procedure. Database rollback must be handled manually.
-
When finished, click Return to Attribute Fulfillment.
-