Use this configuration to map values obtained from the SSO tokens into the persistent grants. The USER_KEY attribute is the identifier of the persistent grants. The USER_NAME attribute presents the name shown to the resource owner on OAuth user-facing pages. If extended attributes are defined on the OAuth Server > Authorization Server Settings screen, configure a mapping for each as well. You can optionally set up datastore queries to supplement values returned from the source. This mapping configuration is suitable for the Authorization Code and Implicit grant types.

  1. Create a new IdP connection or select an existing IdP connection from the Service Provider menu.
  2. On the Connection Type screen, select the Browser SSO Profiles check box and the applicable protocol.
  3. On the Connection Options screen, select the Browser SSO check box and then select the OAuth Attribute Mapping check box.

    You may also select other options on the Connection Type and Connection Options screens. If you do, you will be prompted to complete the required configuration. For simplicity, this topic only focuses on the OAuth Attribute Mapping configuration.

  4. On the General Info screen, enter the required information.
  5. On the Browser SSO screen, click Configure Browser SSO and follow its series of tasks to complete the User-Session Creation configuration.
  6. On the OAuth Attribute Mapping screen, select the Map directly into Persistent Grant option, and then click Configure OAuth Attribute Mapping to continue.
    Alternatively, if you have mapped an authentication policy contract (APC) on the User-Session Creation > Target Session Mapping screen, you may select the Map to OAuth via Authentication Policy Contract option, and then select the applicable APC from the list.