Map attributes from the access token or other sources to fulfill the attribute contract.
- Go to Applications > OAuth > OpenID Connect Policy Management and select your policy, or click Add Policy.
-
On the Contract Fulfillment tab, select a source from the
Source list and then select or enter a value for each
attribute in the contract.
Map the subject attribute and all extended attributes from one of the following sources:
- Context
- Values are returned from the context of the transaction at runtime.
- To enter an expression, select Expression under Source, and then click Edit.
-
Note:
When modifying the personally identifiable information (PII) for hybrid flows, if the RequestEndpoint context value ends with a token endpoint path the actual value is populated and sent in the token response. If the field is blank, a null value is sent in the token response.
Because the HTTP Request context value is retrieved as a Java object rather than text, OGNL expressions are preferred to evaluate and return values.
If Expression is not available, you can enable it by editing the org.sourceid.common.ExpressionManager.xml file in the <pf_install>/pingfederate/server/default/data/config-store directory.
- Extended Client Metadata
- Values are returned from the client record.
- LDAP/JDBC/Other
- Values are returned from your datastore, if used. When selected, the Value list populates with attributes from the datastore.
- Expression
- When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.
- No Mapping
- This option ignores the Value field.
- Text
- The value is what you enter. This can be text only, or you can mix text
with references to the unique user ID returned from the credentials
validator, using the
${attribute}
syntax. - You can also enter values from your datastore, when applicable, using the
${ds.attribute}
syntax, whereattribute
is any of the datastore attributes you have selected. -
Tip:
You can reference attribute values in the form of
${attributeName:-defaultValue}
. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use${
and}
in the default value. - Access Token
- The value is provided from the access token.
- Persistent Grant
- Enables direct mapping from the grant to the ID Token and to user information attributes.
- Click Next.