An attribute contract is the set of user attributes that you and your partner have agreed will be sent in SSO tokens for this connection (see Attribute contracts). You may extend the attribute contract with additional attributes. Optionally, you can configure PingFederate to mask individual extended attributes in its logs (see Attribute masking).


If you are creating or updating a SAML or an OpenID Connect IdP connection, consider using the partner's metadata to do so. If the metadata contains the required information, PingFederate automatically populates the attribute contract for you.

  1. Enter the attribute name in the text box.
    Attribute names are case-sensitive and must correspond to the attribute names expected by your partner.

    If you are configuring a SAML connection to an InCommon participant (see, the assertion may contain attributes such as urn:oid:0.9.2342.19200300.100.1.3 and urn:oid:, which are standard names under various specifications, such as RFC4524 ( and RFC4519 ( The following table describes a subset of the OIDs (object IDs) referenced by the most common attributes used by InCommon participants.

    OID value Description
    0.9.2342.19200300.100.1.3 mail eduPersonAffiliation eduPersonPrincipalName eduPersonEntitlement eduPersonScopedAffiliation eduPersonTargetedID cn sn o givenName
    2.16.840.1.113730.3.1.241 displayName

    For other attributes, refer to the metadata from your partner. The FriendlyName values, if available, should provide additional information about the attributes. Alternatively, third-party resources, such as and, might help as well.

  2. Optional: Select the check box under Mask Values in Log.
  3. Click Add.
  4. Repeat until all desired attributes are defined.

Use the Edit, Update, and Cancel workflow to make or undo a change to an item. Use the Delete and Undelete workflow to remove an item or cancel the removal request.