On the LDAP Filter window, enter a filter for PingFederate to query the data you selected. The filter is in the form:

attribute1=value1

The left side (attribute1) is an attribute from your directory.

Tip:

To see a list of attributes, click the View List of Available LDAP Attributes link.

The right side (value1) is the match-against value, generally a variable passed in from either an authentication source for an identity provider (IdP) or an assertion for a service provider (SP). The variables are shown underneath the Filter text field. If you are retrieving attributes from multiple data stores using one mapping, attributes available from other sources, if previously configured, are listed near the bottom of the window.

You can also apply additional search criteria by using other attributes from the target object class.

A filter narrows a search to locate requested data by either including or excluding specific records. A filter includes the attributes in the search and the value or range of values that the search is attempting to match. Searches are conducted by using three components: at least one attribute (attribute data type) on which to search, a search filter operator that will determine what to match, and the value of the attribute being sought.

  1. On the LDAP Filter window, enter a search filter in the text field.
    Tip:

    You can reference attribute values in the form of ${attributeName:-defaultValue}. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use ${ and } in the default value.

  2. Ensure the syntax and variable names are correct. For general information about search filters, consult your directory documentation.
  3. Click Next to complete the configuration to query attributes from the directory server.

    Later in the workflow, you can use the attribute values returned from your directory server in the applicable contract fulfillment window, the issuance criteria window, or both, to fulfill your use case.

Example

Suppose you want to locate user records by matching the mail Active Directory (AD) user attribute against an extended attribute, eml, in your access token contract for the purpose of mapping attributes to an OpenID Connect policy. As a passed-in variable from the access token, ${eml} is shown underneath the Filter text field.

On the LDAP Filter window, enter the following filter in the Filter text field.

mail=${eml}

mail
An AD user attribute containing the email address of the user
${eml}
The value of the extended attribute (eml) in the access token contract
Important:

You must use the ${} syntax to retrieve the value of the enclosed variable.