A resource might require that the access token contains the scope
superuser
. Configure the superuser
scope in
PingFederate.
- Enable Expressions within PingFederate.
-
Extend the Access
Token Attribute Contract to include the value
scope
. -
Map the following value into the access token attribute
contract.
Contract Source Value scope
Expression
@com.pingidentity.sdk.oauth20.Scope@encode(#this.get("context.OAuthScopes").getValuesAsHashSet())
-
Manage the OpenID Connect
policy to add the following information:
-
Attribute
Contract— To extend the contract to include the
scope
attribute, select Override Default Delivery using the ID Token.Note:This step is not applicable to PingFederate 9.0 and earlier. Instead, in the Manage Policy window, select the Include User Info in ID Token check box.
-
Attribute Scopes— From
the Scope list, select
openid
, and from the Attribute list, selectscope
.Note:This feature does not exist in PingFederate versions earlier than 9.0. To work around this issue:
- Ensure PingAccess is configured to include
profile
in the list of Web Session scopes. - In PingFederate, ensure the
profile
scope is defined in Scope Management. - During authentication, the user must accept usage of the
profile
scope. If the user does not accept usage of theprofile
scope, then the web session scope rule will always fail for that user.
- Ensure PingAccess is configured to include
-
Contract
Fulfillment— Modify the
scope
Attribute Contract to useAccess Token
as the Source with a Value ofscope
.
-
Attribute
Contract— To extend the contract to include the