In concert with the attribute contract between partners, token contracts specify the transfer of attributes, consisting of a list of case-sensitive attribute names.

On the identity provider (IdP) side of a federation, PingFederate receives token-processor attributes. For more information, see Token processors and generators and Managing token processors.

On the service provider (SP) side, a token generator requires token-generator contract attributes to pass identify information from the token to the web service client application. Each security domain requires at least one token generator type. Then a token-generator instance must be configured for each target application. For more information, see Managing token generators. If several target applications are controlled by the same security context and can receive the same set of attributes for the user, you would deploy a token generator type and configure a token generator instance for each target application. For more information, see Managing SP token generator mappings.

Extended token generator contract

When PingFederate deploys a token-generator type, it creates token-generator contracts. When developed, these token generators are “hard-wired” to look up or set a specific set of attributes. After deployment, your attribute requirements might change. To streamline adjustment of token-generator contracts, PingFederate allows an administrator to add additional attributes to the token-generator instance through the administrative console. These adjustments are called extended token-generator contracts.