On the OAuth Assertion Grant Attribute Mapping > OAuth Assertion Grant Attribute Mapping Configuration > Contract Fulfillment screen, map values from the SAML assertions or JWTs to the attributes defined for the attribute contract. These are the values that the Access Token Manager instance requires to create an OAuth access token.

At runtime, an SSO operation fails if PingFederate cannot fulfill the required attribute.

Map attributes from one of the following Sources:
  • Assertion

    When selected, the Value list is populated with attributes from the SAML assertion or the JWT.

    For example, to map the value of SAML_SUBJECT from a SAML assertion (or sub from a JWT) as the value of an attribute on the access-token contract, select Assertion from the Source list and TOKEN_SUBJECT from the Value list.

  • Context

    When selected, the Value list is populated with the available context of the transaction.


    The HTTP Request context value is retrieved as a Java object rather than text. For this reason, OGNL expressions are more appropriate to evaluate and return values (see Expression).

  • Extended Client Metadata

    Values are returned from the client record.

  • LDAP, JDBC, or Other

    When selected, the Value list is populated with attributes that you have selected from the datastore. Select the desired attribute from the list.

  • Expression (when enabled)

    This option provides more complex mapping capabilities; for example, transforming incoming values into different formats. Select Expression from the Source list, click Edit under Actions, and compose your OGNL expressions. All variables available for text entries are also available for expressions (see Text).

    Note that expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see Attribute mapping expressions.

  • No Mapping

    Select this option to ignore the Value field, causing no value selection to be necessary.

  • Text

    When selected, the text you enter is used at runtime. You can mix text with references to any of the values from the SSO token, using the ${attribute} syntax.

    You can also enter values from your datastore, when applicable, using this syntax:


    where attribute is any attribute that you have selected from the datastore.

  1. Choose a source and then choose (or enter) a value for each attribute in the contract.
  2. Click Next.