When a datastore is configured and the attribute mappings under Attribute Sources & User Lookup fail to complete the attribute contract in an SP connection, you can choose to configure a set of failsafe Attribute Contract Fulfillment mappings. For example, you might configure a set of attributes to identify the SSO subject as a guest user at the SP.
The Failsafe Attribute Source screen does not appear if you have selected the Retrieve additional attributes from multiple data stores using one mapping option on the Mapping Method screen.
The attribute contract is fulfilled using either the mapping configured under Attribute Sources & User Lookup or the failsafe mapping, not both. In other words, you cannot use the failsafe mapping to fill in missing attributes when some are found via the datastore mapping setup but others are not.
The failsafe mapping is used only when all of the mappings configured in the datastore setup fail to return values for any reason. If any mapping succeeds (an attribute mapped to text, for example), failover does not occur.
Alternatively, you can have PingFederate stop the SSO transaction. This choice depends on your agreement with the SP.
- To enable the failsafe mapping, select Send user to SP using default list of attributes, and then map or enter the desired values on the Attribute Contract Fulfillment screen.
- To stop the SSO transaction, select Abort the SSO transaction.