The identity hint contract is the set of attributes received in the CIBA request that identifies the user. IDENTITY_HINT_SUBJECT is a core attribute and is automatically populated by the sub attribute of an identity hint token (if found) or the attribute value of the login_hint request attribute.
A client can send an ID token (id_token_hint) or a login hint token (login_hint_token) as the identity hint token. If you extend the identity hint contract with attribute names from the identity token, PingFederate fulfills them with values found in the identity token.
As needed, all attributes can optionally be fulfilled differently on the Identity Hint Contract Fulfillment screen.
Example
Suppose the following JWT matches the expected structure of the login hint tokens:
{
"sub": "asmith",
"attrs": {
"mail": "asmith@example.com",
"phone": "555-555-5555"
}
}
To add both the mail and phone attributes,
extend the contract with login_hint_token.attrs.mail
and
login_hint_token.attrs.phone
, respectively.