1. Optional: Go to Authentication > OAuth > Authentication Policy Contract Mapping.
  2. Optional: From the Authentication Policy Contract list, click the desired mapping or select the desired mapping from the Authentication Policy Contract list.
    Note:

    If you do not have an authentication policy contract mapping already configured, go to Authentication > Policies > Policy Contracts and configure and save a new contract.

  3. Optional: On the Attribute Sources & User Lookup window, click Add Attribute Source to configure datastore queries.
  4. On the Contract Fulfillment tab, fulfill the selected contract.
    Note:

    If the selected closed-ended path contains more than one authentication source, you have access to attributes obtained successfully from the previous authentication sources along the same path.

    For example, referring to the earlier policy in Applying policy contracts or identity profiles to authentication policies, if you select an authentication policy contract for the PingID (Adapter) > Success result, you can map attributes from the HTML Form Adapter and the PingID Adapter.

    Besides the preceding identity provider (IdP) connection or IdP adapter instance, you can also use dynamic text, attribute mapping expression, if enabled, and tracked HTTP request parameter, if configured, as the source of fulfillment.

  5. Optional: On the Issuance Criteria tab, configure conditions to be validated before issuing an authentication policy contract. For more information, see Defining issuance criteria for contract or local identity mapping.
  6. On the Summary tab, review your configuration, modify as needed, and then click Done.
  7. On the Policy window, continue with the rest of your policy configuration.