Mapping attributes to groups - PingFederate - 11.2

PingFederate Server

bundle
pingfederate-112
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.2
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-112
pingfederate
ContentType_ce
Guide
Guide > Administrator Guide
Product documentation

Map attribute values in the System for Cross-domain Identity Management (SCIM) request to group attributes.

  1. On the Attribute Fulfillment tab, for each attribute, select a source from the list and then choose or enter a value. You must map all target attributes.
    • Context

      When selected, the Value list populates with the available context of the transaction. Select the desired context from the list.

      Note:

      As the HTTP Request context value is retrieved as a Java object rather than text, use OGNL expressions to evaluate and return values.

      Note:

      If you are configuring an OAuth Attribute Mapping configuration and have added PERSISTENT_GRANT_LIFETIME as an extended attribute in the Authorization Server Settings window, you can set the lifetime of persistent grants based on the outcome of attribute mapping expressions or the per-client Persistent Grants Max Lifetime setting.

      • To set lifetime based on the per-client Persistent Grants Max Lifetime setting, select Context from the Source list and Default Persistent Grant Lifetime from the Value list.
      • To set lifetime based on the outcome of attribute mapping expressions, select Expression as the source and enter an OGNL expression in the Value field.

        If the expression returns a positive integer, the value represents the lifetime of the persistent grant in minutes.

        If the expression returns the integer 0, PingFederate does not store the grant and does not issue a refresh token.

        If the expression returns any other value, PingFederate sets the lifetime of the persistent grant based on the per-client Persistent Grants Max Lifetime setting.

      • To set a static lifetime, select Text from the Source list and enter a static value in the Value field.

        This is suitable for testing purposes, or cases where the persistent grant lifetime must always be set to a specific value.

    • Expression
      This option provides more complex mapping capabilities ,such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.
      Tip:

      If you need to map two attribute values from a SCIM request to one LDAP attribute value, use an OGNL expression to create the LDAP attribute.

      Tip:

      Enable OGNL expression by editing the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.common.ExpressionManager.xml file. Restart PingFederate after saving the change.

      For a clustered PingFederate environment, edit the org.sourceid.common.ExpressionManager.xml file on the console node, sign on to the administrative console to replicate this change to all engine nodes in the System > Server > Cluster Management window, and restart all nodes.

    • SCIM Group

      When you make this selection, the associated Value list populates with the defined components of the SCIM request.

    • No Mapping

      Select this option to ignore the Value field.

    • Text

      The value is what you enter. This can be text only, or you can mix text with references to any of the values from the SCIM request, using the ${attribute} syntax.

      Tip:

      You can reference attribute values in the form of ${attributeName:-defaultValue}. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use ${ and } in the default value.

  2. Click Done.