Configuring the policy attribute contract - PingFederate - 10.2

PingFederate Server

bundle
pingfederate-102
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.2
category
Product
pf-102
pingfederate
ContentType_ce

In the Attribute Contract tab, you can define the list of attributes that PingFederate can return to the OAuth clients.

Every new OpenID Connect policy contract begins with a list of standard attributes. These attributes or claims are defined in the OpenID Connect specification. You can optionally remove standard attributes, turn them into non-standard attributes, or add new non-standard attributes.

Note:

In OpenID Connect, scopes affect the list of attributes that PingFederate can return to the OAuth clients. The attributes that PingFederate returns to OAuth clients vary, depending on the scopes originally approved by the resource owner.

By default, all attributes defined on this window are deliverable through the UserInfo endpoint. If an implicit client makes a token request by providing id_token as the only response_type parameter value, the client will only receive an ID token without an access token. As the client will not be able to retrieve additional attributes from the UserInfo endpoint without a valid access token, PingFederate includes the applicable attributes in the ID token instead.

If you have not selected the Include User Info in ID Token option in the Manage Policy tab for this policy, you can choose how attributes are delivered to clients. Similar to the default delivery behavior, in the scenario where an implicit client makes a token request by providing id_token as the sole response_type parameter value, PingFederate includes the applicable attributes in the ID token regardless of any configured overrides.

  • To add a new attribute:
    1. Enter the name of the attribute under Extend the Contract.
    2. Optional: Select the Override Default Delivery check box to choose how the attribute is delivered.
      • Select the check box under ID Token if this attribute can be included in ID tokens.
      • Select the check box under UserInfo if this attribute can be included in UserInfo responses.
    3. Click Add.
  • To modify an existing entry, use the Edit, Update, and Cancel buttons. Choose how the attribute is delivered, as needed.
  • To remove an existing entry, click Delete.