Mapping attributes to groups - PingFederate - 10.2

PingFederate Server

bundle
pingfederate-102
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.2
category
Product
pf-102
pingfederate
ContentType_ce

Map attribute values in the System for Cross-domain Identity Management (SCIM) request to group attributes.

  1. On the Attribute Fulfillment tab, for each attribute, select a source from the list and then choose or enter a value. You must map all target attributes.
    • Context

      When selected, the Value list populates with the available context of the transaction. Select the desired context from the list.

      Note:

      As the HTTP Request context value is retrieved as a Java object rather than text, use OGNL expressions to evaluate and return values.

      Note:

      If you are configuring an OAuth Attribute Mapping configuration and have added PERSISTENT_GRANT_LIFETIME as an extended attribute in the Authorization Server Settings window, you can set the lifetime of persistent grants based on the outcome of attribute mapping expressions or the per-client Persistent Grants Max Lifetime setting.

      • To set lifetime based on the per-client Persistent Grants Max Lifetime setting, select Context from the Source list and Default Persistent Grant Lifetime from the Value list.
      • To set lifetime based on the outcome of attribute mapping expressions, select Expression as the source and enter an OGNL expression in the Value field.

        If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes.

        If the expression returns the integer 0, PingFederate does not store the grant and does not issue a refresh token.

        If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client Persistent Grants Max Lifetime setting.

      • To set a static lifetime, select Text from the Source list and enter a static value in the Value field.

        This is suitable for testing purposes, or cases where the persistent grant lifetime must always be set to a specific value.

    • Expression
      This option provides more complex mapping capabilities ,such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.
      Tip:

      If you need to map two attribute values from a SCIM request to one LDAP attribute value, use an OGNL expression to create the LDAP attribute.

      Tip:

      Enable OGNL expression by editing the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.common.ExpressionManager.xml file. Restart PingFederate after saving the change.

      For a clustered PingFederate environment, edit the org.sourceid.common.ExpressionManager.xml file on the console node, sign on to the administrative console to replicate this change to all engine nodes in the System > Server > Cluster Management window, and restart all nodes.

    • SCIM Group

      When you make this selection, the associated Value list populates with the defined components of the SCIM request.

    • No Mapping

      Select this option to ignore the Value field.

    • Text

      The value is what you enter. This can be text only, or you can mix text with references to any of the values from the SCIM request, using the ${attribute} syntax.

  2. Click Done.