PingOne

Generated attributes

When a JSON schema is defined in an attribute or service’s value settings, you can generate child attributes that extract schema properties.

PingOne Authorize automatically resolves a generated attribute against the parent attribute or service and adds a JSON Path processor that extracts the JSON schema property.

You can generate attributes by selecting them in any field that allows attribute selection. If an attribute hasn’t been generated for a property yet, the property is grayed out.

If the parent attribute has nested JSON properties, you must generate attributes one level at a time. Generate the parent-level attribute first, then generate the child. For example, to generate a risk level attribute, you have to generate the result attribute first.

Screen capture showing the grayed-out result and level properties nested under an automatically generated Risk attribute.

Nested attributes always resolve against the parent attribute directly above them in the tree, instead of the root-level attribute.

If the JSON schema changes in the parent attribute, you must manually update any generated child attributes. PingOne Authorize does not do this automatically.

Connector attributes

When you connect to a PingOne service, PingOne Authorize automatically creates an attribute that resolves against the service. This attribute contains a JSON schema that you can use to generate additional attributes.

Connector attributes are nested under the Connectors parent attribute on the Attributes tab. PingOne Authorize owns the Connector parent attribute and the attributes nested directly under it that resolve against a service.

The Shield (Screen capture of the shield icon.) icon indicates that these attributes are system-owned and editing restrictions apply. You can’t move, update, or delete these attributes. This ensures that connector attributes are configured correctly and always available.

You can nest your own attributes under connector attributes. When you delete a connector service, the generated attribute that resolves against the service is also deleted.

The following image shows an example of a system-owned connector attribute that resolves against the PingOne Protect service with additional child attributes that extract the risk level.

Screen capture showing an automatically generated attribute with a service resolver and JSON schema from the Risk service.

Generating an attribute

About this task

Generate attributes to extract JSON schema properties from parent attributes. As example data, consider the following JSON passed in a decision request. The JSON represents a user in an external identity store.

{
"Id": "my-id",
"Ip": "217.145.198.92",
"Name": "John Smith"
}

You’ll create a parent attribute that stores the user information, then generate child attributes that extract properties.

Steps

  1. Add an attribute that stores a JSON schema:

    1. On the Attributes tab, click the icon and select Add new attribute, then enter a name for the attribute, such as External User.

    2. To define where the attribute pulls information from, click Resolvers, and then click Add Resolver.

    3. In the Resolver type list, select Request Parameter.

      Screen capture showing the External User attribute with a Request Parameter resolver.

    4. In the Value Settings section, select JSON in the Type list.

    5. Use an online JSON schema generator to generate a schema for the example JSON that represents the external user.

      Example:

      {
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "object",
  "properties": {
    "Id": {
      "type": "string"
    },
    "Ip": {
      "type": "string"
    },
    "Name": {
      "type": "string"
    }
  },
  "required": [
    "Id",
    "Ip",
    "Name"
  ]
}

    6. Copy the resulting schema and enter it in the JSON Schema field.

      Screen capture showing the resulting JSON Schema in the attribute’s Value Settings section.

      To edit large JSON objects more effectively, open the code editor by clicking Rich text editor button..

    7. Click Save Changes.

  2. Generate attributes based on the defined JSON schema.

    For example purposes, you’ll generate attributes for PingOne Protect connector service inputs.

    1. Add a connector service forPingOne Risk. Enter a name, such as External User Risk, and then select the service type, and connector types.

    2. In the Inputs section, click Switch to Attribute button next to User ID, and then click the Select an attribute list.

    3. Expand the External User parent attribute and select the Id property.

      If an attribute hasn’t been generated for a property yet, the property is grayed out. When you select a property, PingOne Authorize adds an attribute that resolves against the parent attribute and a processor that extracts the property.

      Screen capture showing External User attribute properties in the expanded Select an Attribute list.

    4. For User Type, enter EXTERNAL.

    5. For IP Address, select the External User → Ip property to generate an attribute.

    6. Click Save changes.

      Generated attributes are nested under the parent attribute on the Attributes tab.

      Screen capture showing generated Id and Ip attributes nested under the External User attribute on the Attributes tab

      The generated attributes resolve against their parent attribute, as shown in the following image.

      Screen capture showing the parent attribute resolver and JSON path processor for the Id attribute.