On the Attribute Contract Fulfillment tab, you can define the
default attributes PingFederate will send to the service provider (SP) in case of failure to complete
the attribute contract.
For initial steps to configure identity provider (IdP) adapter instances or
authentication policy contracts (APC), see Managing authentication source mappings.
If you have selected the failsafe option on the
Mapping Method tab and the Send user to SP
using default list of attributes option on the
Failsafe Attribute Source tab, define the default
values that should be sent in the single sign-on (SSO) tokens to the SP.
On the Attribute Contract Fulfillment
tab, you must complete the following steps for each adapter instance or APC.
-
Select a source from the Source drop-down list.
-
Select a source from the Source list and then choose or
enter a value. You must map all attributes. See the following table for more
information.
-
Adapter or Authentication Policy Contract
(the authentication source)
When selected, the Value list is
populated with attributes from the authentication source. Select the desired
attribute from the list. At runtime, the attribute value from the authentication
source is mapped to the value of the attribute in the SSO token.
For example,
to map the value of the HTML Form Adapter's username attribute
as the value of the SAML_SUBJECT attribute on the contract,
select Adapter from the Source list
and username from the Value list.
-
Context
When selected, the Value list populates with the available context
of the transaction. Select the desired context from the list. At runtime, the context value
is mapped to the value of the attribute in the SSO token.
Important:
If you are configuring an SP connection to bridge one or more identity providers to a
service provider, consider mapping the original issuer of the assertions into an attribute
by selecting Context as the source and Authenticating
Authority as the value. This is important when bridging multiple identity
providers to one service provider, where the service provider should take the information
about the original issuer into consideration before granting access to protected
resources.
For more information, see Bridging multiple IdPs to an SP.
Note:
Because the HTTP Request context value is retrieved as a Java
object rather than text, use OGNL expressions to evaluate and return values (see
Expression).
-
Expression
When enabled, this option provides more complex mapping capabilities, such as
transforming incoming values into different formats. Select
Expression from the Source list, click
Edit under Actions, and compose your
OGNL expressions. All variables available for text entries are also available for
expressions. For more information, see Text.
Expressions
are not enabled by default. For more information about enabling and editing OGNL
expressions, see Attribute mapping expressions.
- No Mapping
Select this option to ignore the
Value field, causing no value selection to be
necessary.
-
Text
When selected, the text you
enter is mapped to the value of the attribute in the single sign-on tokens at runtime. You
can mix text with references to any of the values from the authentication source using the
${attribute}
syntax.
Tip:
You can reference attribute values in the form of
${attributeName:-defaultValue}
. The default value is optional.
When specified, it is used at runtime if the attribute value is not available. Do
not use ${
and }
in the default value.
Tip:
Two other text variables are also available: ${SAML_SUBJECT}
and
${TargetResource}
. SAML_SUBJECT is the
initiating user (or other entity). TargetResource is a
reference to the protected application or other resource for which the user
requested SSO access; the ${TargetResource}
text variable is
available only if specified as a query parameter for the relevant endpoint (either
as TargetResource for SAML 2.0 or TARGET
for SAML 1.x).
-
After all attributes have been mapped, click Next to save
changes.