The Attribute Fulfillment screen provides a means of mapping the incoming attributes to the account attributes on an LDAP server, the columns in a database table (on a Microsoft SQL Server), or the parameters of a Microsoft SQL Server stored procedure. Besides values obtained from the SSO token, you may also map from the context of the SSO token, text with or without references values from the SSO token, and expression (if enabled).

If a Microsoft SQL Server datastore is chosen on the User Repository screen, the Attribute Fulfillment screen, you may also test the insertion of attribute values into the database table or the stored procedure. When mapping to a database column of the datetime or smalldatetime data type, if you are not using a stored procedure to convert the incoming string value, you may use a PingFederate Java conversion method via OGNL expressions.

  1. Select a source from the list for each target attribute or parameter.
    • Assertion or Provider Claims

      Values are contained in the SSO token from this IdP. When you make this selection, the associated Value list is populated by the attribute contract).

    • Context

      Values are returned from the context of the transaction at runtime.


      The HTTP Request is retrieved as a Java objects rather than text. For this reason, OGNL expressions are more appropriate to evaluate and return values. (Choose Expression and then click Edit to enter an expression.)

    • Attribute Query

      This choice appears only if you have chosen to use the Attribute Query profile for provisioning.

      To map an attribute-query value, use this syntax: ${query_attribute}

      You can also combine attribute-query values with references to attributes in the attribute contract; for example: ${query_attribute}+${attribute}

      References to attributes not contained in the attribute contract result in an Attribute Query back to the IdP partner.

    • Expression

      If you have not already done so, you may enable OGNL expression by editing the org.sourceid.common.ExpressionManager.xml file in the <pf_install>/pingfederate/server/default/data/config-store directory. Restart PingFederate after saving the change.

      For a clustered PingFederate environment, edit the org.sourceid.common.ExpressionManager.xml file on the console node, sign on to the administrative console to replicate this change to all engine nodes on the System > Cluster Management screen, and restart all nodes.

      This option provides more complex mapping capabilities; for example, transforming incoming values into different formats. All of the variables available for text entries (see below) are also available for expressions.

      If multiple attribute values from one or multiple sources need to be mapped to one attribute value, use an OGNL expression to create it.

      For database mapping, if the data type of a target parameter is datetime or smalldatetime, you can use an expression to convert date-time strings from the SSO token. After selecting Expression for such attributes, click Datetime OGNL Examples under the text box for syntax information and examples.

    • System Managed (if applicable)

      This mapping option appears only when any automatically assigned attributes are among columns to be provisioned; for example, an identity or a timestamp column on the Microsoft SQL Server.

    • Text
      The value is what you enter. This can be text only, or you can mix text with references to any of the values from the SSO token, using the ${attribute} syntax.

      For LDAP mapping, choose Text as the Source for the objectClass attribute.

      For mapping into a database, if no entry is required for a column, you can leave the text box blank. A blank entry results in an empty string in the database for string data types and null for all other data types. Alternatively, for string types, you can enter null in the text box to explicitly set null in the column.

  2. Select (or enter) an attribute value.
    All values must be mapped. However, for optional table columns, you may leave a text box blank (or, for string data types, enter null to avoid empty strings).
    Note that no value is required for System Managed attributes.

    For Active Directory, enter user in the text box for objectClass. For Oracle Directory Server or Oracle Unified Directory, enter inetOrgPerson.

  3. Optional: When mapping to a Microsoft SQL Server datastore, test the insertion.
    1. Click Test insert into 'table'.
    2. Enter values for each applicable target parameter.
    3. Click Test Insert.

      If the test succeeds, a confirmation is displayed along with the values inserted.


      Unless you wish to keep the test values in the database, click Roll Back All Test Inserts

    Stored procedure
    1. Click Test call to 'procedure'.
    2. Enter values for each applicable target parameter.
    3. Click Test Stored Procedure Call.

      For stored procedures, only a confirmation is displayed if the test is successful, indicating that the procedure was populated with parameter values.


      No roll back feature is provided because PingFederate does not know the result of the procedure. Database rollback, if needed, must be handled manually.

    When finished, click Return to Attribute Fulfillment.