1. On the Attribute Fulfillment tab, for each target attribute, select a source from the Source list, then choose or enter a value. All target attributes must be mapped.
    • Context

      When selected, the Value list populates with the available context of the transaction. Select the desired context from the list.

      Note:

      Because the HTTP Request context value is retrieved as a Java object rather than text, use OGNL expressions to evaluate and return values.

      Note:

      If you are configuring an OAuth Attribute Mapping configuration and have added PERSISTENT_GRANT_LIFETIME as an extended attribute in the Authorization Server Settingswindow, you can set the lifetime of persistent grants based on the outcome of attribute mapping expressions or the per-client Persistent Grants Max Lifetime setting.

      • To set lifetime based on the per-client Persistent Grants Max Lifetime setting, select Context from the Source list and Default Persistent Grant Lifetime from the Value list.
      • To set lifetime based on the outcome of attribute mapping expressions, select Expression as the source and enter an OGNL expression in the Value field.

        If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes.

        If the expression returns the integer 0, PingFederate does not store the grant and does not issue a refresh token.

        If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client Persistent Grants Max Lifetime setting.

      • To set a static lifetime, select Text from the Source list and enter a static value in the Value field.

        This is suitable for testing purposes, or cases where the persistent grant lifetime must always be set to a specific value.

    • Expression
      This option provides more complex mapping capabilities, such as transforming outgoing values into different formats. All of the variables available for text entries are also available for expressions.
      Tip:

      If you need to map an LDAP attribute to two attributes in a SCIM response, use an OGNL expression to create them.

      Tip:

      Enable OGNL expression by editing the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.common.ExpressionManager.xml file. Restart PingFederate after saving the change.

      For a clustered PingFederate environment, edit the org.sourceid.common.ExpressionManager.xml file on the console node, sign on to the administrative console to replicate this change to all engine nodes in the System > Server > Cluster Management window, and restart all nodes.

    • LDAP

      Values are returned from your query. When you make this selection, the Value list populates with the LDAP attributes you identified for this datastore.

    • Identity Store

      Values are returned from your query. When you make this selection, the Value list populates with the Identity Store attributes you identified for this datastore.

    • No Mapping

      Select this option to ignore the Value field.

    • Text

      The value is what you enter. This can be text only, or you can mix text with references to any of the values from the SCIM request, using the ${attribute} syntax.

      Tip:

      You can reference attribute values in the form of ${attributeName:-defaultValue}. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use ${ and } in the default value.

  2. Click Done.