Authentication policy contracts, formerly known as connection mapping contracts, provide PingFederate administrators the following benefits:

  • The capability to build an attribute contract with attribute values from multiple authentication sources or datastore queries through an authentication policy.
  • The flexibility to map only the policy contract to a connection. Authentication sources in the policy leading up to the contract are not required to be mapped into the connection. For example, administrators can experiment with various IdP adapter instances without the burden of adding and removing them to and from the connection.
  • The potential to reuse authentication policies that use the same policy contract in multiple SP connections, IdP connections, and OAuth use cases (using the OAuth Authorization Code or Implicit grant types).

Authentication policy contracts are also the media to carry user attributes from IdPs to SPs when PingFederate is deployed as a federation hub (see Federation hub use cases).