Entering a directory search filter
You can use a filter in PingFederate to query your selected data and retrieve a record associated with it.
About this task
On the LDAP Filter window, enter a filter for PingFederate to query the data you selected. The filter is in the form:
attribute1=value1
The left side (attribute1) is an attribute from your directory.
To see a list of attributes, click the View List of Available LDAP Attributes link. |
The right side (value1) is the match-against value, generally a variable passed in from either an authentication source for an identity provider (IdP) or an assertion for a service provider (SP). The variables are shown underneath the Filter text field. If you are retrieving attributes from multiple data stores using one mapping, attributes available from other sources, if previously configured, are listed near the bottom of the window.
You can also apply additional search criteria by using other attributes from the target object class.
A filter narrows a search to locate requested data by either including or excluding specific records. A filter includes the attributes in the search and the value or range of values that the search is attempting to match. Searches are conducted by using three components: at least one attribute (attribute data type) on which to search, a search filter operator that will determine what to match, and the value of the attribute being sought.
Steps
-
On the LDAP Filter window, enter a search filter in the text field.
You can reference attribute values in the form of
${attributeName:-defaultValue}
. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use${
and}
in the default value. -
Ensure the syntax and variable names are correct. For general information about search filters, consult your directory documentation.
-
Click Next to complete the configuration to query attributes from the directory server.
Later in the workflow, you can use the attribute values returned from your directory server in the applicable contract fulfillment window, the issuance criteria window, or both, to fulfill your use case.
Example
Example
Suppose you want to locate user records by matching the mail
Active Directory (AD) user attribute against an extended attribute, eml
, in your access token contract for the purpose of mapping attributes to an OpenID Connect policy. As a passed-in variable from the access token, eml
is shown underneath the Filter text field.
On the LDAP Filter window, enter the following filter in the Filter text field.
mail=$eml
mail
-
An AD user attribute containing the email address of the user
eml
-
The value of the extended attribute (
eml
) in the access token contract
You must use the |