1. Go toApplications > OAuth > OpenID Connect Policy Management and select your policy, or click Add Policy.
  2. On the Contract Fulfillment tab, select a source from the Source list and then select or enter a value for each attribute in the contract.
    Map the subject attribute and all extended attributes from one of the following sources:
    • Context

      Values are returned from the context of the transaction at runtime.


      As the HTTP Request context value is retrieved as a Java object rather than text, OGNL expressions are preferred to evaluate and return values.

      To enter an expression, select Expression under Source, and then click Edit.

      If Expression is not available, you can enable it by editing the org.sourceid.common.ExpressionManager.xml file in the <pf_install>/pingfederate/server/default/data/config-store directory.

    • Extended Client Metadata

      Values are returned from the client record.

    • LDAP/JDBC/Other

      Values are returned from your datastore, if used. When selected, the Value list populates with attributes from the datastore.

    • Expression

      When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.

    • No Mapping

      This option ignores the Value field.

    • Text

      The value is what you enter. This can be text only, or you can mix text with references to the unique user ID returned from the credentials validator, using the ${attribute} syntax.

      You can also enter values from your datastore, when applicable, using the ${ds.attribute} syntax, where attribute is any of the datastore attributes you have selected.

    • Access Token

      The value is provided from the access token.

    • Persistent Grant

      Enables direct mapping from the grant to the ID Token and to user information attributes.

  3. Click Next.