Mapping attributes into the SCIM response - PingFederate - 10.3

PingFederate Server

bundle
pingfederate-103
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.3
category
Product
pf-103
pingfederate
ContentType_ce

Map outgoing user-account attributes to System for Cross-domain Identity Management (SCIM) responses to READ requests.

  1. On the Attribute Fulfillment tab, for each target attribute, select a source from the Source list, then choose or enter a value. All target attributes must be mapped.
    • Context

      When selected, the Value list populates with the available context of the transaction. Select the desired context from the list.

      Note:

      Because the HTTP Request context value is retrieved as a Java object rather than text, use OGNL expressions to evaluate and return values.

      Note:

      If you are configuring an OAuth Attribute Mapping configuration and have added PERSISTENT_GRANT_LIFETIME as an extended attribute in the Authorization Server Settingswindow, you can set the lifetime of persistent grants based on the outcome of attribute mapping expressions or the per-client Persistent Grants Max Lifetime setting.

      • To set lifetime based on the per-client Persistent Grants Max Lifetime setting, select Context from the Source list and Default Persistent Grant Lifetime from the Value list.
      • To set lifetime based on the outcome of attribute mapping expressions, select Expression as the source and enter an OGNL expression in the Value field.

        If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes.

        If the expression returns the integer 0, PingFederate does not store the grant and does not issue a refresh token.

        If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client Persistent Grants Max Lifetime setting.

      • To set a static lifetime, select Text from the Source list and enter a static value in the Value field.

        This is suitable for testing purposes, or cases where the persistent grant lifetime must always be set to a specific value.

    • Expression
      This option provides more complex mapping capabilities, such as transforming outgoing values into different formats. All of the variables available for text entries are also available for expressions.
      Tip:

      If you need to map an LDAP attribute to two attributes in a SCIM response, use an OGNL expression to create them.

      Tip:

      Enable OGNL expression by editing the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.common.ExpressionManager.xml file. Restart PingFederate after saving the change.

      For a clustered PingFederate environment, edit the org.sourceid.common.ExpressionManager.xml file on the console node, sign on to the administrative console to replicate this change to all engine nodes in the System > Server > Cluster Management window, and restart all nodes.

    • LDAP

      Values are returned from your query. When you make this selection, the Value list populates with the LDAP attributes you identified for this datastore.

    • Identity Store

      Values are returned from your query. When you make this selection, the Value list populates with the Identity Store attributes you identified for this datastore.

    • No Mapping

      Select this option to ignore the Value field.

    • Text

      The value is what you enter. This can be text only, or you can mix text with references to any of the values from the SCIM request, using the ${attribute} syntax.

  2. Click Done.