Generated attributes
When a JSON schema is defined in an attribute or service’s value settings, you can generate child attributes that extract schema properties.
PingOne Authorize automatically resolves a generated attribute against the parent attribute or service and adds a JSON Path processor that extracts the JSON schema property.
You can generate attributes by selecting them in any field that allows attribute selection. If an attribute hasn’t been generated for a property yet, the property is grayed out.
If the parent attribute has nested JSON properties, you must generate attributes one level at a time. Generate the parent-level attribute first, then generate the child. For example, to generate a risk level attribute, you have to generate the result attribute first.
Nested attributes always resolve against the parent attribute directly above them in the tree, instead of the root-level attribute.
If the JSON schema changes in the parent attribute, you must manually update any generated child attributes. PingOne Authorize does not do this automatically. |
Connector attributes
When you connect to a PingOne service, PingOne Authorize automatically creates an attribute that resolves against the service. This attribute contains a JSON schema that you can use to generate additional attributes.
Connector attributes are nested under the Connectors parent attribute on the Attributes tab. PingOne Authorize owns the Connector parent attribute and the attributes nested directly under it that resolve against a service.
The Shield () icon indicates that these attributes are system-owned and editing restrictions apply. You can’t move, update, or delete these attributes. This ensures that connector attributes are configured correctly and always available.
You can nest your own attributes under connector attributes. When you delete a connector service, the generated attribute that resolves against the service is also deleted.
The following image shows an example of a system-owned connector attribute that resolves against the PingOne Protect service with additional child attributes that extract the risk level.
Generating an attribute
About this task
Generate attributes to extract JSON schema properties from parent attributes. As example data, consider the following JSON passed in a decision request. The JSON represents a user in an external identity store.
{
"Id": "my-id",
"Ip": "217.145.198.92",
"Name": "John Smith"
}
You’ll create a parent attribute that stores the user information, then generate child attributes that extract properties.
Steps
-
Add an attribute that stores a JSON schema:
-
On the Attributes tab, click the icon and select Add new attribute, then enter a name for the attribute, such as
External User
. -
To define where the attribute pulls information from, click Resolvers, and then click Add Resolver.
-
In the Resolver type list, select Request Parameter.
-
In the Value Settings section, select JSON in the Type list.
-
Use an online JSON schema generator to generate a schema for the example JSON that represents the external user.
Example:
{ "$schema": "http://json-schema.org/draft-04/schema#", "type": "object", "properties": { "Id": { "type": "string" }, "Ip": { "type": "string" }, "Name": { "type": "string" } }, "required": [ "Id", "Ip", "Name" ] }
-
Copy the resulting schema and enter it in the JSON Schema field.
To edit large JSON objects more effectively, open the code editor by clicking .
-
Click Save Changes.
-
-
Generate attributes based on the defined JSON schema.
For example purposes, you’ll generate attributes for PingOne Protect connector service inputs.
-
Add a connector service forPingOne Risk. Enter a name, such as
External User Risk
, and then select the service type, and connector types. -
In the Inputs section, click next to User ID, and then click the Select an attribute list.
-
Expand the External User parent attribute and select the Id property.
If an attribute hasn’t been generated for a property yet, the property is grayed out. When you select a property, PingOne Authorize adds an attribute that resolves against the parent attribute and a processor that extracts the property.
-
For User Type, enter
EXTERNAL
. -
For IP Address, select the External User → Ip property to generate an attribute.
-
Click Save changes.
Generated attributes are nested under the parent attribute on the Attributes tab.
The generated attributes resolve against their parent attribute, as shown in the following image.
-