PingFederate provides an advanced option allowing administrators to map user attributes by way of an expression language, Object-Graph Navigation Language (OGNL). Because the option carries with it a potential for misuse, however, it is disabled in the administrative console for security reasons.


The security concern posed by expressions is related to a potential for abuse by PingFederate administrative users within an organization; the concern is not related to any known external threats. We recommend, however, that the option be enabled only if required.