On the LDAP Filter screen, enter a filter for PingFederate to query the data you selected to retrieve a record associated with a particular value (or values) from the user's session. The filter is in the form:
attribute1=value1
The left side (attribute1) is an attribute from your directory.
To get a list of attributes, click the View List of Available LDAP Attributes link.
The right side (value1) is the match-against value, generally a variable passed in from either an authentication source (for an IdP) or an assertion (for an SP). The variables are shown underneath the Filter text field. If you are retrieving attributes from multiple data stores using one mapping, attributes available from other sources, if previously configured, are listed near the bottom of the screen.
You can also apply additional search criteria by using other attributes from the target object class.
In general, a filter narrows a search to locate requested data by either including or excluding specific records. A filter includes the attributes in the search and the value or range of values that the search is attempting to match. Searches are conducted by using three components: at least one attribute (attribute data type) to search on, a search filter operator that will determine what to match, and the value of the attribute being sought.
Example
Suppose you want to locate user records by matching the mail
Active Directory (AD) user attribute against an extended attribute,
eml, in your access token contract (for the purpose of
mapping attributes to an OpenID Connect policy). As a passed-in variable from the
access token, ${eml}
is shown underneath the
Filter text field.
On the LDAP Filter screen, enter the following filter in the Filter text field:
mail=${eml}
-
mail
- An AD user attribute containing the email address of the user
-
${eml}
- The value of the extended attribute (eml) in the access token contract
You must use the ${}
syntax to retrieve the value of the enclosed
variable.