Mapping attributes to a user account - PingFederate - 10.3

PingFederate Server

bundle
pingfederate-103
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.3
category
Product
pf-103
pingfederate
ContentType_ce

Map incoming attributes to the account attributes on an LDAP server, the columns in a database table on a Microsoft SQL Server, or the parameters of a Microsoft SQL Server stored procedure.

In addition to values obtained from the single sign-on (SSO) token, you can map attributes from the context of the SSO token text, with or without reference values from the SSO token, and expression if enabled.

If you select a Microsoft SQL Server datastore on the User Repository tab, then on the Attribute Fulfillment tab you can test the insertion of attribute values into the database table or the stored procedure. When mapping to a database column of the datetime or smalldatetime data type, if you are not using a stored procedure to convert the incoming string value, you can use a PingFederate Java conversion method through OGNL expressions.

  1. On the Attribute Fulfillment tab, select a source from the list for each target attribute or parameter.
    • Assertion or Provider Claims

      Values are contained in the SSO token from this identity provider (IdP). When you select this, the associated Value list is populated by the attribute contract.

    • Context

      Values are returned from the context of the transaction at runtime.
      Note:

      As the HTTP Request is retrieved as a Java object rather than text, OGNL expressions are more appropriate to evaluate and return values. Choose Expression from the list and then click Edit to enter an expression.

    • Attribute Query

      This choice appears only if you choose the Attribute Query profile for provisioning.

      To map an attribute-query value, use the syntax ${query_attribute}. You can combine attribute-query values with references to attributes in the attribute contract; for example, ${query_attribute}+${attribute.

      References to attributes not contained in the attribute contract result in an attribute query back to the IdP partner.

    • Expression

      Tip:

      Enable OGNL expression by editing the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.common.ExpressionManager.xml file. Restart PingFederate after saving the change.

      For a clustered PingFederate environment, edit the org.sourceid.common.ExpressionManager.xml file on the console node, sign on to the administrative console to replicate this change to all engine nodes in the System > Server > Cluster Management window, and restart all nodes.

      This option provides more complex mapping capabilities, such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.

      Tip:

      If you need to map multiple attribute values from one or multiple sources to one attribute value, use an OGNL expression to create it.

      For database mapping, if the data type of a target parameter is datetime or smalldatetime, you can use an expression to convert date-time strings from the SSO token. After selecting Expression, click Datetime OGNL Examples for syntax information and examples.

    • System Managed

      This mapping option appears only when any automatically assigned attributes are among columns to be provisioned, such as an identity or a timestamp column on the Microsoft SQL Server.

    • Text

      The value is what you enter. This can be text only, or you can mix text with references to any of the values from the SSO token, using the ${attribute} syntax.

      Note:

      For LDAP mapping, choose Text as the Source for the objectClass attribute.

      For mapping into a database, if no entry is required for a column, you can leave the field blank. A blank entry results in an empty string in the database for string data types and null for all other data types. Alternatively, for string types, you can enter null in the field to explicitly set null in the column.

  2. Select or enter an attribute value.

    All values must be mapped. For optional table columns, you can leave the field blank or, for string data types, enter null to avoid empty strings.

    No value is required for System Managed attributes.

    Note:

    For Active Directory, enter user in the objectClass field. For Oracle Directory Server or Oracle Unified Directory, enter inetOrgPerson.

  3. Optional: When mapping to a Microsoft SQL Server datastore, test the insertion.
    • If testing from a table:
      1. Click Test insert into <table>.
      2. Enter values for each applicable target parameter.
      3. Click Test Insert.

        If the test succeeds, a confirmation displays along with the values inserted.

        CAUTION:

        Unless you want to keep the test values in the database, click Roll Back All Test Inserts.

    • If testing from a stored procedure:
      1. Click Test call to <procedure>.
      2. Enter values for each applicable target parameter.
      3. Click Test Stored Procedure Call.

        For stored procedures, only a confirmation displays if the test is successful, indicating that the procedure was populated with parameter values.

        CAUTION:

        No roll back feature is provided because PingFederate does not know the result of the procedure. Database rollback must be handled manually.

    When finished, click Return to Attribute Fulfillment.