On the Token Generator Contract Fulfillment screen, map values to the attributes defined for the contract. These are the values that the web services require.

For each attribute, select a source from the list and then choose or enter a value.

  • Assertion

    When selected, the Value list is populated with attributes from the incoming SAML token (assertion). Select the desired attribute from the list. At runtime, the attribute value from the assertion is mapped to the value of the attribute in the local token.

    For example, to map the value of TOKEN_SUBJECT from a SAML assertion as the value of the subject user identifier on the token generator contract, select Assertion from the Source list and TOKEN_SUBJECT from the Value list.

  • Context

    When selected, the Value list is populated with the available context of the transaction. Select the desired context from the list. At runtime, the context value is mapped to the value of the attribute in the local token.

    Note:

    The HTTP Request and STS SSL Client Certificate Chain context values are retrieved as Java objects rather than text. For this reason, OGNL expressions are more appropriate to evaluate and return values (see Expression).

    Note:

    When using the STS Basic Authentication Username, STS SSL Client Certificate's Subject DN, or STS SSL Client Certificate Chain contexts, ensure the associated authentication is enabled and configured on the System > Protocol Settings > WS-Trust STS Settings screen.

  • LDAP, JDBC, or Other

    When selected, the Value list is populated with attributes that you have selected from the datastore. Select the desired attribute from the list. At runtime, the attribute value from the datastore is mapped to the value of the attribute in the local token.

  • Expression (when enabled)

    This option provides more complex mapping capabilities; for example, transforming incoming values into different formats. Select Expression from the Source list, click Edit under Actions, and compose your OGNL expressions. All variables available for text entries are also available for expressions (see Text).

    Note that expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see Attribute mapping expressions.

  • No Mapping

    Select this option to ignore the Value field, causing no value selection to be necessary.

  • Text

    When selected, the text you enter is used at runtime. You can mix text with references to any of the values from the SAML token, using the ${attribute} syntax.

    You can also enter values from your datastore, when applicable, using this syntax:

    ${ds.attribute}

    where attribute is any of the attributes that you have selected from the datastore.

All attributes must be mapped.

If you are editing a currently mapped token generator instance, you can update the mapping configuration, which may require additional configuration changes in subsequent tasks.