Use this screen to map outgoing user-account attributes to SCIM responses to READ requests.
Select a source from the list for each target attribute.
When selected, the Value list is populated with the available context of the transaction. Select the desired context from the list.Note:
The HTTP Request context value is retrieved as a Java object rather than text. For this reason, OGNL expressions are more appropriate to evaluate and return values.Note:
If you are configuring an OAuth Attribute Mapping configuration and
PERSISTENT_GRANT_LIFETIMEhas been added as an extended attribute on the screen, you have the option to set the lifetime of persistent grants based on the outcome of attribute mapping expressions or the per-client Persistent Grants Max Lifetime setting.
- To set lifetime based on the per-client Persistent Grants Max Lifetime setting, select Context as the source and Default Persistent Grant Lifetime as the value.
- To set lifetime based on the outcome of attribute mapping expressions, select
Expression as the source and enter an OGNL expression as the
If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes.
If the expression returns the integer 0, PingFederate does not store the grant and does not issue refresh token.
If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client Persistent Grants Max Lifetime setting.
- To set a static lifetime, select Text as the source
and enter a static value.
This is most suitable for testing purposes or use cases where the persistent grant lifetime must always be set to a certain value in some specific grant-mapping configurations.
If you have not already done so, you may enable OGNL expression by editing the org.sourceid.common.ExpressionManager.xml file in the <pf_install>/pingfederate/server/default/data/config-store directory. Restart PingFederate after saving the change.
For a clustered PingFederate environment, edit the org.sourceid.common.ExpressionManager.xml file on the console node, sign on to the administrative console to replicate this change to all engine nodes on the screen, and restart all nodes.This option provides more complex mapping capabilities; for example, transforming outgoing values into different formats. All of the variables available for text entries (see below) are also available for expressions.Tip:
If an LDAP attribute needs to be mapped to two attributes in a SCIM response, use an OGNL expression to create them.
Values are returned from your query. When you make this selection, the Value list is populated by the LDAP attributes you identified for this datastore.
- Identity Store
Values are returned from your query. When you make this selection, the Value list is populated by the Identity Store attributes you identified for this datastore.
- No Mapping
Select this option to ignore the Value field, causing no value selection to be necessary.
The value is what you enter. This can be text only, or you can mix text with references to any of the values from the SCIM request, using the
Select (or enter) an attribute value.
All target attributes must be mapped.
- Click Done.