An attribute contract is the set of user attributes that you and your partner have agreed will be sent in the SSO tokens for this connection (see Attribute contracts). You identify these attributes on the Attribute Contract screen.
Establishing an attribute contract is required for WS-Federation connections. For SAML connections, attribute contracts are optional if you are sending either pseudonym or a transient identifiers to the partners. When establishing an attribute contract, you may change the name format when certain conditions are met. The following table summarizes the conditions and the possible actions that you can perform on the Attribute Contract screen.
Protocol | Identity mapping | Attribute contract | SAML_SUBJECT | Additional attributes |
---|---|---|---|---|
SAML 2.0 or SAML 1.1 | Standard | Required | Built-in. Subject name format can be changed by selecting a value from a list. |
Optional. Attribute name format can be changed by selecting a value from a list. |
SAML 2.0 or SAML 1.1 | Pseudonym or Transient | Required only if the Include attributes ... check box is selected on the Identity Mapping screen; otherwise the Attribute Contract screen is not shown. | Assumed and cannot be added as an additional attribute. | At least one is required. Attribute name format can be changed by selecting a value from a list. |
SAML 1.0 | Standard | Required | Built-in. Subject name format can be changed by selecting a value from a list. |
Optional. There is no attribute name format. |
SAML 1.0 | Pseudonym or Transient | Required only if the Include attributes ... check box is selected on the Identity Mapping screen; otherwise the Attribute Contract screen is not shown. | Assumed and cannot be added as an additional attribute. | At least one is required. There is no attribute name format. |
WS-Federation in conjunction with SAML 1.1 as the token type | Email address, user principal name, or common name | Required | Built-in. There is no subject name format. |
Optional. Attribute name format can be changed by selecting a value from a list. |
WS-Federation in conjunction with SAML 2.0 as the token type | Email address, user principal name, or common name | Required | Built-in. There is no subject name format. |
Optional. Attribute name format can be changed by selecting a value from the list. |
WS-Federation in conjunction with JWT as the token type | Not applicable | Required | Not applicable | At least one is required. There is no attribute name format. |
If you are creating or updating a SAML SP connection, consider using the partner's metadata to do so. If the metadata contains the required information, PingFederate automatically populates the attribute contract for you.
Use the Edit, Update, and Cancel workflow to make or undo a change to an item. Use the Delete and Undelete workflow to remove an item or cancel the removal request.