For prerequisites and previous steps to configure the Attribute Query profile, see Configuring the Attribute Query profile in an SP connection.

The process of configuring PingFederate to look up attributes in a datastore for attribute-query responses is similar to that used for single sign-on (SSO) Attribute Sources and User Lookup.

  1. Enter a Description for the datastore in the text box.
    1. If prompted, enter an ID in the text box.
  2. Select a datastore instance from the Active Data Store list.

    If the datastore you want is not shown in the Active Data Store list, click Manage Data Stores to review or add a datastore instance. For more information, see Datastores.

  3. Depending on the datastore type, the rest of the setup varies as follows.

    When attribute queries are sent using X.509 Attribute Sharing Profile (XASP), use the variable ${SubjectDN}—rather than ${SAML_SUBJECT}—to retrieve the subject identifier.

    You can also use any of these distinguished name (DN)-parsing variables:
    • ${CN}
    • ${OU}
    • ${O}
    • ${L}
    • ${S}
    • ${C}
    • ${DC}

    If more than one value exists for any of the parsing variables, then they are enumerated. For example, if the Subject DN is cn=John Smith,ou=service,ou=employee, then you could use any of these elements in your filter qualifier:

    • ${SubjectDN}=cn=John Smith,ou=service,ou=employee
    • ${ou}=service
    • ${ou1}=employee

    For more information about XASP, see Attribute Query and XASP.

  4. When you have finished configuring your datastore, click Next to save changes.