To determine whether you need to look up additional values, compare the attribute contract against the adapter contract or the authentication policy contract. If the attribute contract does not contain the required information, determine whether a local datastore can supply it.

Alternatively, you can configure datastore queries as part of the fulfillment configuration for the applicable APC if you use authentication policies to route users through a series of authentication sources and end each successful policy path with an APC.

You make selections on the Adapter Data Store tab for service provider (SP) adapter mapping or the Attribute Retrieval tab for authentication policy contract (APC) mapping.


To learn more about authentication policies, see Authentication policies.

  • If the attribute contract contains all the attributes that your application requires, click Use only the attributes available in the SSO assertion.
  • To set up a datastore query, click Use the SSO assertion to look up additional information, and then follow a series of sub tasks to complete the configuration. See Choosing a datastore for step-by-step instructions.

If you are editing a currently mapped adapter instance or APC, you can change the mapping method, which might require additional configuration changes in subsequent tasks.