Map attribute values in the System for Cross-domain Identity Management (SCIM) request to group attributes.
-
On the Attribute Fulfillment tab, for each attribute, select
a source from the list and then choose or enter a value. You must map all target
attributes.
-
Context
When selected, the Value list populates with the available context of the transaction. Select the desired context from the list.
Note:As the HTTP Request context value is retrieved as a Java object rather than text, use OGNL expressions to evaluate and return values.
Note:If you are configuring an OAuth Attribute Mapping configuration and have added
PERSISTENT_GRANT_LIFETIME
as an extended attribute in the Authorization Server Settings window, you can set the lifetime of persistent grants based on the outcome of attribute mapping expressions or the per-client Persistent Grants Max Lifetime setting.- To set lifetime based on the per-client Persistent Grants Max Lifetime setting, select Context from the Source list and Default Persistent Grant Lifetime from the Value list.
- To set lifetime based on the outcome of attribute mapping expressions, select
Expression as the source and enter an OGNL expression in
the Value field.
If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes.
If the expression returns the integer 0, PingFederate does not store the grant and does not issue a refresh token.
If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client Persistent Grants Max Lifetime setting.
- To set a static lifetime, select Text from the
Source list and enter a static value in the
Value field.
This is suitable for testing purposes, or cases where the persistent grant lifetime must always be set to a specific value.
- ExpressionThis option provides more complex mapping capabilities ,such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.Tip:
If you need to map two attribute values from a SCIM request to one LDAP attribute value, use an OGNL expression to create the LDAP attribute.
Tip:Enable OGNL expression by editing the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.common.ExpressionManager.xml file. Restart PingFederate after saving the change.
For a clustered PingFederate environment, edit the org.sourceid.common.ExpressionManager.xml file on the console node, sign on to the administrative console to replicate this change to all engine nodes in the System > Server > Cluster Management window, and restart all nodes.
- SCIM Group
When you make this selection, the associated Value list populates with the defined components of the SCIM request.
- No Mapping
Select this option to ignore the Value field.
- Text
The value is what you enter. This can be text only, or you can mix text with references to any of the values from the SCIM request, using the
${attribute}
syntax.Tip:You can reference attribute values in the form of
${attributeName:-defaultValue}
. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use${
and}
in the default value.
-
Context
- Click Done.