You can extend the attribute contract with additional attributes. Optionally, you can configure PingFederate to mask individual extended attributes in its logs. For more information, see Attribute contracts and Attribute masking.


If you are creating or updating a SAML or an OpenID Connect identity provider (IdP) connection, consider using the partner's metadata to do so. If the metadata contains the required information, PingFederate automatically populates the attribute contract for you.

  1. On the Attribute Contract tab, enter the attribute name in the text box.

    Attribute names are case-sensitive and must correspond to the attribute names expected by your partner.


    If you are configuring a SAML connection to an InCommon participant, the assertion might contain attributes such as urn:oid:0.9.2342.19200300.100.1.3 and urn:oid:, which are standard names under various specifications, such as RFC4524 and RFC4519. For more information, see The following table describes a subset of the object IDs (OIDs) referenced by the most common attributes used by InCommon participants.

    OID value Description
    0.9.2342.19200300.100.1.3 mail eduPersonAffiliation eduPersonPrincipalName eduPersonEntitlement eduPersonScopedAffiliation eduPersonTargetedID cn sn o givenName
    2.16.840.1.113730.3.1.241 displayName

    For other attributes, see the metadata from your partner. The FriendlyName values, if available, should provide additional information about the attributes. Alternatively, third-party resources, such as and, might help as well.

  2. Optional: Select the check box under Mask Values in Log.
  3. Click Add.
  4. Repeat until all desired attributes are defined.

Click Edit, Update, and Cancel to make or undo a change to an item. Click Delete and Undelete to remove an item or cancel the removal request.