Configuring OAuth assertion grant contract fulfillment - PingFederate - 11.0

PingFederate Server

bundle
pingfederate-110
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.0
category
Product
pf-110
pingfederate
ContentType_ce

Map values from the SAML assertions or JSON web tokens (JWTs) to the attributes defined for the attribute contract. The access token manager instance requires these values to create an OAuth access token.

At runtime, a single sign-on (SSO) operation fails if PingFederate cannot fulfill the required attribute.

  1. On OAuth Assertion Grant Attribute Mapping > OAuth Assertion Grant Attribute Mapping Configuration > Contract Fulfillment , select a source from the Source list and then choose or enter a value for each attribute.
    • Assertion

      When selected, the Value list populates with attributes from the SAML assertion or the JWT.

      For example, to map the value of SAML_SUBJECT from a SAML assertion, or sub from a JWT, as the value of an attribute on the access-token contract, select Assertion from the Source list and TOKEN_SUBJECT from the Value list.

    • Context

      When selected, the Value list populates with the available context of the transaction.

      Note:

      Because the HTTP Request context value is retrieved as a Java object rather than text, use OGNL expressions to evaluate and return values. For more information, see Expression.

    • Extended Client Metadata

      Values are returned from the client record.

    • LDAP, JDBC, or Other

      When selected, the Value list is populated with attributes that you have selected from the datastore. Select the desired attribute from the list.

    • Expression

      When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. Select Expression from the Source list, click Edit under Actions, and compose your OGNL expressions. All variables available for text entries are also available for expressions. For more information, see Text.

      Expressions are not enabled by default. For more information about enabling and editing OGNL expressions, see Attribute mapping expressions.

    • No Mapping

      Select this option to ignore the Value field.

    • Text

      When selected, the text you enter is used at runtime. You can mix text with references to any of the values from the SSO token, using the ${attribute} syntax.

      When applicable, you can enter values from your datastore using the ${ds.<attribute>} syntax, where <attribute> is any attribute that you have selected from the datastore.

      Tip:

      You can reference attribute values in the form of ${attributeName:-defaultValue}. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use ${ and } in the default value.

  2. Click Next.