If you have chosen the failsafe option on the Mapping Method screen and the Send user to SP using default list of attributes option on the Failsafe Attribute Source screen, define the default values that should be sent in the SSO tokens to the SP on the Attribute Contract Fulfillment screen.

For each attribute, select a source from the list and then choose or enter a value.

  • Adapter or Authentication Policy Contract (the authentication source)

    When selected, the Value list is populated with attributes from the authentication source. Select the desired attribute from the list. At runtime, the attribute value from the authentication source is mapped to the value of the attribute in the SSO token.

    For example, to map the value of the HTML Form Adapter's username attribute as the value of the SAML_SUBJECT attribute on the contract, select Adapter from the Source list and username from the Value list.

  • Context

    When selected, the Value list is populated with the available context of the transaction. Select the desired context from the list. At runtime, the context value is mapped to the value of the attribute in the SSO token.


    If you are configuring an SP connection to bridge one or more identity providers to a service provider, consider mapping the original issuer of the assertions into an attribute by selecting Context as the source and Authenticating Authority as the value. This is especially important when bridging multiple identity providers to one service provider, where the service provider should take the information about the original issuer into consideration before granting access to protected resources.

    For more information, see Bridging multiple IdPs to an SP.


    The HTTP Request context value is retrieved as a Java object rather than text. For this reason, OGNL expressions are more appropriate to evaluate and return values (see Expression).

  • Expression (when enabled)

    This option provides more complex mapping capabilities; for example, transforming incoming values into different formats. Select Expression from the Source list, click Edit under Actions, and compose your OGNL expressions. All variables available for text entries are also available for expressions (see Text).

    Note that expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see Attribute mapping expressions.

  • No Mapping

    Select this option to ignore the Value field, causing no value selection to be necessary.

  • Text

    When selected, the text you enter is mapped to the value of the attribute in the SSO tokens at runtime. You can mix text with references to any of the values from the authentication source using the ${attribute} syntax.


    Two other text variables are also available: ${SAML_SUBJECT} and ${TargetResource}. SAML_SUBJECT is the initiating user (or other entity). TargetResource is a reference to the protected application or other resource for which the user requested SSO access; the ${TargetResource} text variable is available only if specified as a query parameter for the relevant endpoint (either as TargetResource for SAML 2.0 or TARGET for SAML 1.x).

All attributes must be mapped.

If you are editing a currently mapped adapter instance or APC, you can update the mapping configuration, which may require additional configuration changes in subsequent tasks.