Configuring the policy attribute contract - PingFederate

Configuring the policy attribute contract - PingFederate - 10.0

PingFederate Server

bundle

pingfederate-100

ft:publication_title

PingFederate Server

Product_Version_ce

PingFederate 10.0

category

Product

pf-100

pingfederate

ContentType_ce

Page created: 12 Sep 2019 |

Page updated: 19 Mar 2020

| 2 min read

PingFederate 10.0 Product Configuration User task OAuth Standards, specifications, and protocols Software Deployment Method Product documentation Content Type Administrator Audience

On the Attribute Contract screen, define the list of attributes that PingFederate can return to the OAuth clients. Every new OpenID Connect policy contract begins with a list of standard attributes. These are attributes (or claims) defined in the OpenID Connect specification. You can optionally remove standard attributes, edit them to turn them into non-standard attributes, and add new non-standard attributes.

Note:

In OpenID Connect, scopes affect the list of attributes that PingFederate can return to the OAuth clients. In other words, the attributes that PingFederate returns to OAuth clients vary, depending on the scopes approved by the resource owner in the first place.

By default, all attributes defined on this screen are deliverable through the UserInfo endpoint. In the scenario where an implicit client makes a token request by providing id_token as the sole response_type parameter value, the client will only receive an ID token without an access token. Because the client will not be able to retrieve additional attributes from the UserInfo endpoint without a valid access token, PingFederate includes the applicable attributes in the ID token instead.

If you have not selected the Include User Info in ID Token option on the Manage Policy screen for this policy, you may choose how attributes are delivered to clients. Similar to the default delivery behavior, in the scenario where an implicit client makes a token request by providing id_token as the sole response_type parameter value, PingFederate includes the applicable attributes in the ID token regardless of any configured overrides.

To add a new attribute:
1. Enter the name of the attribute under Extend the Contract.
2. Optional: Select the Override Default Delivery check box to choose how the attribute is delivered.
  - Select the check box under ID Token if this attribute can be included in ID tokens.
  - Select the check box under UserInfo if this attribute can be included in UserInfo responses.
3. Click Add.
To modify an existing entry, use the Edit, Update, and Cancel workflow. Choose how the attribute is delivered, as needed.
To remove an existing entry, click Delete.