Map attribute values in the System for Cross-domain Identity Management (SCIM) request to user-account attributes.
On the Attribute Fulfillment tab, for each attribute, select
a source from the Source list and then choose or enter a
value. You must map all attributes.
When selected, the Value list populates with the available context of the transaction. Select the desired context from the list.Note:
As the HTTP Request context value is retrieved as a Java object rather than text, use OGNL expressions to evaluate and return values.Note:
If you are configuring an OAuth Attribute Mapping configuration and have added
PERSISTENT_GRANT_LIFETIMEas an extended attribute in the Authorization Server Settings window, you can set the lifetime of persistent grants based on the outcome of attribute mapping expressions or the per-client Persistent Grants Max Lifetime setting.
- To set lifetime based on the per-client Persistent Grants Max Lifetime setting, select Context from the Source list and Default Persistent Grant Lifetime from the Value list.
- To set lifetime based on the outcome of attribute mapping expressions, select
Expression as the source and enter an OGNL expression in
the Value field.
If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes.
If the expression returns the integer 0, PingFederate does not store the grant and does not issue a refresh token.
If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client Persistent Grants Max Lifetime setting.
- To set a static lifetime, select Text from the
Source list and enter a static value in the
This is suitable for testing purposes, or cases where the persistent grant lifetime must always be set to a specific value.
Enable OGNL expression by editing the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.common.ExpressionManager.xml file. Restart PingFederate after saving the change.
For a clustered PingFederate environment, edit the org.sourceid.common.ExpressionManager.xml file on the console node, sign on to the administrative console to replicate this change to all engine nodes in the window, and restart all nodes.This option provides more complex mapping capabilities, such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.Tip:
If two attribute values from a SCIM request need to be mapped to one LDAP attribute value, use an OGNL expression to create it.
- SCIM User
When you make this selection, the associated Value list populates with defined components of the SCIM request.
- No Mapping
Select this option to ignore the Value field.
The value is what you enter. This can be text only, or you can mix text with references to any of the values from the SCIM request using the
- Click Done.