To make user attributes available in a signed JSON web token (JWT) sent to the application in a header, create a JWT identity mapping .
The JWT issuer and signing configuration is defined in Configuring auth token management.
When configuring identity mappings, the dot notation is supported so that session token structure can be maintained. For example, if the session token contains the following entry:
{
"address": {
"line1": "123 Any St",
"line2": "Apt 123",
"city": "Anytown",
"state": "CO",
"zip": "12345"
}
}
you can define an identity mapping using the entries in the following table to maintain the
structure of the target JWT.
User attribute Name | JWT claim name |
---|---|
address.line1 | address.line1 |
address.line2 | address.line2 |
address.city | address.city |
address.state | address.state |
address.zip | address.zip |
Tip:
PingAccess engines provide a JWKS (JSON Web Key Set) endpoint at /pa/authtoken/JWKS that can be used by backend sites to validate the signature of the JWT.