Map outgoing user-account attributes to System for Cross-domain Identity Management (SCIM) responses to READ requests.
On the Attribute Fulfillment tab, for each target attribute,
select a source from the Source list, then choose or enter a
value. All target attributes must be mapped.
When selected, the Value list populates with the available context of the transaction. Select the desired context from the list.Note:
Because the HTTP Request context value is retrieved as a Java object rather than text, use OGNL expressions to evaluate and return values.Note:
If you are configuring an OAuth Attribute Mapping configuration and have added
PERSISTENT_GRANT_LIFETIMEas an extended attribute in the Authorization Server Settingswindow, you can set the lifetime of persistent grants based on the outcome of attribute mapping expressions or the per-client Persistent Grants Max Lifetime setting.
- To set lifetime based on the per-client Persistent Grants Max Lifetime setting, select Context from the Source list and Default Persistent Grant Lifetime from the Value list.
- To set lifetime based on the outcome of attribute mapping expressions, select
Expression as the source and enter an OGNL expression in
the Value field.
If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes.
If the expression returns the integer 0, PingFederate does not store the grant and does not issue a refresh token.
If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client Persistent Grants Max Lifetime setting.
- To set a static lifetime, select Text from the
Source list and enter a static value in the
This is suitable for testing purposes, or cases where the persistent grant lifetime must always be set to a specific value.
- ExpressionThis option provides more complex mapping capabilities, such as transforming outgoing values into different formats. All of the variables available for text entries are also available for expressions.Tip:
If you need to map an LDAP attribute to two attributes in a SCIM response, use an OGNL expression to create them.Tip:
Enable OGNL expression by editing the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.common.ExpressionManager.xml file. Restart PingFederate after saving the change.
For a clustered PingFederate environment, edit the org.sourceid.common.ExpressionManager.xml file on the console node, sign on to the administrative console to replicate this change to all engine nodes in the window, and restart all nodes.
Values are returned from your query. When you make this selection, the Value list populates with the LDAP attributes you identified for this datastore.
- Identity Store
Values are returned from your query. When you make this selection, the Value list populates with the Identity Store attributes you identified for this datastore.
- No Mapping
Select this option to ignore the Value field.
The value is what you enter. This can be text only, or you can mix text with references to any of the values from the SCIM request, using the
- Click Done.