PingOne for Enterprise

Creating advanced attribute mappings

Advanced attribute mappings allow you to customize attributes for specific applications or identity providers (IdPs).

About this task

Advanced attribute mapping is not available for PingOne for Enterprise Directory.

Advanced attribute mapping mode enables you to modify the mapping of an identity repository attribute to a service provider’s (SP) application attribute or to assign more than one identity repository attribute to an application attribute so that the needed attribute can be used without altering the existing mapping.

Use advanced attribute mapping when you:

  • Customize PingOne dock settings, and you want to change one or more of the default attributes used by the identity bridge.

  • Add a cloud application for your single sign-on (SSO) users, and one or more of the attributes for the application are different than the attributes used by the identity bridge.

In both cases, if the standard available attributes don’t meet your needs, use advanced mode to customize an attribute.

Steps

  1. On the Attribute Mapping tab for any application you are editing, click Advanced on the line of the attribute you want to map.

  2. Optional: For SAML_SUBJECT, configure the Name ID Format.

    Setting Available Values

    Name ID Format to request from IdP

    • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

    • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

    • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

    • urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified

    • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

    • urn:oasis:names:tc:SAML:2.0:nameid-format:entity

    • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

    • urn:oasis:names:tc:SAML:2.0:nameid-format:transient

    Name ID Format to send to SP

  3. Optional: For all other attributes, configure the NameFormat.

    Setting Available Values

    NameFormat

    • urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

    • urn:oasis:names:tc:SAML:2.0:attrname-format:uri

    • urn:oasis:names:tc:SAML:2.0:attrname-format:basic

  4. Optional: For all attributes, apply advanced attribute mappings.

    Choose from:

    • In the IDP Attribute Name or Literal Value list, enter or select an attribute value.

    • Select the As Literal check box and enter a literal value to assign as an attribute.

    • For attributes that aren’t literal values, select a transformation to apply to an attribute in the Function drop-down list. The following transformation functions are available.

      Function Description

      Base64Decode

      Decode the source value.

      Returns a null result if the source value isn’t a valid Base64 encoding.

      Base64Encode

      Encode the source value.

      ExtractByRegularExpression

      Apply a regular expression to the attribute values. Any portion of a value that matches the regular expression is assigned to the attribute.

      For example, an incoming assertion uses memberOf, and you want only groups that match a specified list sent in the outgoing assertion. Assume the groups you want are A, B, C and D, and the incoming assertion contains the groups A, B, E, F in the memberOf attribute. In this case, your regular expression extracts only the group A and B values.

      FilterByRegularExpression

      Apply a regular expression to the attribute values. Only values that match the regular expression are assigned to the attribute.

      For example, if you want the resulting values to start with 'A' or 'b', use the regular expression [Ab].*.

      GetDomainPartFromEmail

      Get the domain part from an email string.

      For example, get foo.com from bob.smith@foo.com.

      GetFirstRelativeDN

      Get the first relative distinguished name (DN) from a DN string.

      For example, get Bob Smith from CN=Bob Smith,OU=Sales,DC=Fabrikam,DC=com.

      GetLocalPartFromEmail

      Get the local part from an email string.

      For example, get bob.smith from bob.smith@foo.com

      Hash

      Apply a hashing algorithm to the attribute value. You select the algorithm and the encoding format in the Hashing Algorithm and Encoding Format lists.

      Hashing Algorithm options:

      • MD5

      • SHA-1

      • SHA-256

      Encoding Format options:

      • hex

      • Base64

      PickByFieldsFrom JsonList

      Pick the field values from a multivalued attribute that match the condition you specify. Each field value is a JSON object.

      PickPrimaryObjectByTypeFromJsonList

      Pick the JSON objects in the list that have a primary value of true, and a type value equal to the condition value.

      If you don’t specify a condition, the type value is ignored and all matching primary value objects are returned.

      PickPrimaryValueByTypeFromJsonList

      Pick the JSON objects' value field values in the list, where the objects' primary value is true and the type value matches the condition value.

      If you don’t specify a condition, the type value is ignored and all matching primary value objects are returned.

      Random

      Assign a random value to the attribute. You must supply the character length to use.

      You can also apply a hashing algorithm and encoding format to the random value.

      Hashing Algorithm options:

      • None

      • MD5

      • SHA-1

      • SHA-256

      Encoding Format options:

      • None

      • hex

      • Base64

      ToLowerCase

      Change all characters to lower case.

      ToUpperCase

      Change all characters to upper case.

  1. To add an additional value to map to the attribute, click Add Attribute.

  2. Click Save.