On the Contract Fulfillment screen, map values obtained from the authentication source into the persistent grants. The USER_KEY attribute is the identifier of the persistent grants. The USER_NAME attribute presents the name shown to the resource owner on OAuth user-facing pages. If extended attributes are defined on the screen, configure a mapping for each as well.
The USER_KEY attribute values must be unique across all end users because the USER_KEY attribute is the user identifier to store and to retrieve persistent grants. For example, if you have two Active Directory domains, the sAMAccountName attribute value of an end user in one domain may collide with that of another end user in the other domain. In this scenario, you can map the Subject DN attribute to the USER_KEY attribute.
When you make this selection, the associated Value drop-down list contains attributes configured in the IdP adapter instance.
Values are returned from the context of the transaction at runtime.Note:
PERSISTENT_GRANT_LIFETIMEhas been added as an extended attribute on the screen, you have the option to set the lifetime of persistent grants based on the outcome of attribute mapping expressions or the per-client Persistent Grants Max Lifetime setting.
- To set lifetime based on the per-client Persistent Grants Max Lifetime setting, select Context as the source and Default Persistent Grant Lifetime as the value.
- To set lifetime based on the outcome of attribute mapping expressions, select
Expression as the source and enter an OGNL expression as the
If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes.
If the expression returns the integer 0, PingFederate does not store the grant and does not issue refresh token.
If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client Persistent Grants Max Lifetime setting.
- To set a static lifetime, select Text as the source
and enter a static value.
This is most suitable for testing purposes or use cases where the persistent grant lifetime must always be set to a certain value in some specific grant-mapping configurations.
The HTTP Request context value is retrieved as a Java object rather than text. For this reason, OGNL expressions are more appropriate to evaluate and return values.
- Extended Client Metadata
Values are returned from the client record.
- LDAP/JDBC/Other (when a datastore is used)
Values are returned from your datastore (if used).
- Expression (when enabled)
This option provides more complex mapping capabilities—for example, transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.
- No Mapping
Select this option to ignore the Value field, causing no value selection to be necessary.
The value is what you enter. This can be text only, or you can mix text with references to the attributes returned from the adapter instance, using the syntax:
You can also enter values from your datastore, when applicable, using this syntax:
attributeis any of the datastore attributes you have selected.
- Choose a source and then choose (or enter) a value for each attribute in the contract.
- Click Next.