On the Adapter Contract Fulfillment screen, map values to the attributes defined for the contract. These are the values that the target application requires to create a local session for the user.

If you are bridging an identity provider to one or more service providers, the values mapped to the authentication policy contracts are used by the associated SP connections to create assertions for the service providers (see Federation hub use cases).

At runtime, an SSO operation fails if PingFederate cannot fulfill the required attribute.

For each attribute, select a source from the list and then choose or enter a value.

  • AccountLink

    When selected, the Value list is populated with Local User ID. Normally, you would map Local User ID to an adapter attribute that represents the user identifier at the target. This source is not applicable to authentication policy contracts. In addition, this source appears only if you have elected to use account linking for a target session on the Identity Mapping screen.

  • Assertion or Provider Claims

    When selected, the Value list is populated with attributes from the SSO token. Select the desired attribute from the list.

    For example, to map the value of SAML_SUBJECT from a SAML assertion as the value of the subject user identifier on the contract, select Assertion from the Source list and SAML_SUBJECT from the Value list.

  • Context

    When selected, the Value list is populated with the available context of the transaction. Select the desired context from the list.

    Note:

    The HTTP Request context value is retrieved as a Java object rather than text. For this reason, OGNL expressions are more appropriate to evaluate and return values.

    Note:

    If you are configuring an OAuth Attribute Mapping configuration and PERSISTENT_GRANT_LIFETIME has been added as an extended attribute on the OAuth Server > Authorization Server Settings screen, you have the option to set the lifetime of persistent grants based on the outcome of attribute mapping expressions or the per-client Persistent Grants Max Lifetime setting.

    • To set lifetime based on the per-client Persistent Grants Max Lifetime setting, select Context as the source and Default Persistent Grant Lifetime as the value.
    • To set lifetime based on the outcome of attribute mapping expressions, select Expression as the source and enter an OGNL expression as the value.

      If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes.

      If the expression returns the integer 0, PingFederate does not store the grant and does not issue refresh token.

      If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client Persistent Grants Max Lifetime setting.

    • To set a static lifetime, select Text as the source and enter a static value.

      This is most suitable for testing purposes or use cases where the persistent grant lifetime must always be set to a certain value in some specific grant-mapping configurations.

  • LDAP, JDBC, or Other

    When selected, the Value list is populated with attributes that you have selected from the datastore. Select the desired attribute from the list.

  • Expression (when enabled)

    This option provides more complex mapping capabilities; for example, transforming incoming values into different formats. Select Expression from the Source list, click Edit under Actions, and compose your OGNL expressions. All variables available for text entries are also available for expressions (see Text).

    Note that expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see Attribute mapping expressions.

  • No Mapping

    Select this option to ignore the Value field, causing no value selection to be necessary.

  • Text

    When selected, the text you enter is used at runtime. You can mix text with references to any of the values from the SSO token, using the ${attribute} syntax.

    You can also enter values from your datastore, when applicable, using this syntax:

    ${ds.attribute}

    where attribute is any attribute that you have selected from the datastore.

    Tip:

    Two other text variables are also available: ${SAML_SUBJECT} and ${TargetResource}. SAML_SUBJECT is the initiating user (or other entity). TargetResource is a reference to the protected application or other resource for which the user requested SSO access; the ${TargetResource} text variable is available only if specified as a query parameter for the relevant endpoint (either as TargetResource for SAML 2.0 or TARGET for SAML 1.x).

    There are a variety of reasons why you might hard code a text value. For example, if your web application provides a consumer service, you might want to supply a particular promotion code for the partner.

If you are editing a currently mapped adapter instance or APC, you can update the mapping configuration, which may require additional configuration changes in subsequent tasks.