The identity hint contract is the set of attributes received in the CIBA request that identifies the user. IDENTITY_HINT_SUBJECT is a core attribute and is automatically populated by the sub attribute of an identity hint token (if found) or the attribute value of the login_hint request attribute.

A client can send an ID token (id_token_hint) or a login hint token (login_hint_token) as the identity hint token. If you extend the identity hint contract with attribute names from the identity token, PingFederate fulfills them with values found in the identity token.


As needed, all attributes can optionally be fulfilled differently on the Identity Hint Contract Fulfillment screen.

  1. Optional: Enter an attribute name under Extend the Contract and then click Add.
  2. Repeat the previous step to define additional attributes.

    Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Click Delete to remove an entry.

  3. Click Next.


Suppose the following JWT matches the expected structure of the login hint tokens:

  "sub": "asmith",
  "attrs": {
    "mail": "",
    "phone": "555-555-5555"

To add both the mail and phone attributes, extend the contract with login_hint_token.attrs.mail and, respectively.