An attribute contract is the set of user attributes that you and your partner have agreed will be sent in the single sign-on (SSO) tokens for this connection.
You specify the attributes for the name identifier on your WS-Federation or, optionally, for your SAML configuration on the Attribute Contract tab. For more information, see Attribute contracts.
WS-Federation connections require you to define attribute contracts. For SAML connections, attribute contracts are optional if you are sending either pseudonym or transient identifiers to the partners. For more information, see Selecting a SAML Name ID type.
When establishing an attribute contract, you can change the name format when certain conditions are met. The following table summarizes the conditions and the possible actions that you can perform on the Attribute Contract tab.
Protocol | Identity mapping | Attribute contract | SAML_SUBJECT | Additional attributes |
---|---|---|---|---|
SAML 2.0 or SAML 1.1 | Standard | Required | Built-in. Subject name format can be changed by selecting a value from a list. |
Optional. Attribute name format can be changed by selecting a value from a list. |
SAML 2.0 or SAML 1.1 | Pseudonym or Transient | Required only if the Include attributes ... check box is selected on the Identity Mapping window. Otherwise the Attribute Contract window is not shown. | Assumed and cannot be added as an additional attribute. | At least one is required. Attribute name format can be changed by selecting a value from a list. |
SAML 1.0 | Standard | Required | Built-in. Subject name format can be changed by selecting a value from a list. |
Optional. There is no attribute name format. |
SAML 1.0 | Pseudonym or Transient | Required only if the Include attributes ... check box is selected on the Identity Mapping window. Otherwise the Attribute Contract window is not shown. | Assumed and cannot be added as an additional attribute. | At least one is required. There is no attribute name format. |
WS-Federation in conjunction with SAML 1.1 as the token type | Email address, user principal name, or common name | Required | Built-in. There is no subject name format. |
Optional. Attribute name format can be changed by selecting a value from a list. |
WS-Federation in conjunction with SAML 2.0 as the token type | Email address, user principal name, or common name | Required | Built-in. There is no subject name format. |
Optional. Attribute name format can be changed by selecting a value from the list. |
WS-Federation in conjunction with JWT as the token type | Not applicable | Required | Not applicable | At least one is required. There is no attribute name format. |
If you are creating or updating a SAML service provider (SP) connection, consider using the partner's metadata to do so. If the metadata contains the required information, PingFederate automatically populates the attribute contract for you. For more information, see Importing SP metadata.