When mapping a default context, define how PingFederate maps values into the attributes based on the persistent-grant USER_KEY, and any extended attributes defined in System > OAuth Settings > Authorization Server Settings. PingFederate acts as an OAuth authorization server.

When a specific context is selected, you can map attributes from the selected context, specifically the chosen IdP adapter instance, Password Credential Validator instance, or authentication policy contract, into the access tokens. You can also map attributes from an IdP connection with an OAuth attribute mapping configuration or an authentication policy contract mapping configuration. You can configure a mapping for clients using the client credential grant type.

The mapping used at runtime depends on the authentication context of the original grant. If the authentication context results in a match, PingFederate uses that specific mapping. Otherwise, it uses the default mapping for the applicable access token manager instance.


The Access Token Mapping window becomes available after at least one access token manager (ATM) instance has been configured in Applications > OAuth > Access Token Management.

  1. Go to Applications > OAuth > Access Token Management.
    Create a mapping Select the source of the attributes from the Context list and the target ATM instance from the Access Token Manager list, and then click Add Mapping.
    Modify an existing mapping Select it by its name under Mappings.
    Remove an existing mapping or to cancel the removal request Click Delete or Undelete under Action.

    Before removing an existing mapping from your configuration, ensure that it is not used by your OAuth use cases.