1. Go to Authentication > OAuth > Authentication Policy Contract Mapping.
  2. On the Authentication Policy Contract list, click the desired mapping or select the desired mapping from the Authentication Policy Contract list.

    If you don't already have an authentication policy contract mapping configured, go to Authentication > Policies > Policy Contracts to configure and save a new contract.

  3. Optional: On the Attribute Sources & User Lookup window, click Add Attribute Source to configure datastore queries.
  4. On the Contract Fulfillment tab, fulfill the selected contract.

    If the selected closed-ended path contains more than one authentication source, you have access to attributes obtained successfully from the previous authentication sources along the same path.

    For example, referring to the earlier policy in Applying policy contracts or identity profiles to authentication policies, if you select an authentication policy contract for the PingID (Adapter) > Success result, you can map attributes from the HTML Form Adapter and the PingID Adapter.

    Besides the preceding identity provider (IdP) connection or IdP adapter instance, you can also use the following as the source of fulfillment:

    • Dynamic text
    • Attribute mapping expressions, if enabled
    • Tracked HTTP request parameters, if configured
    • Request context
    • Extended properties, if configured on the Extended Properties window
  5. Optional: On the Issuance Criteria tab, configure conditions to be validated before issuing an authentication policy contract.
  6. On the Summary tab, review your configuration, modify as needed, and then click Done.
  7. On the Policy window, continue with the rest of your policy configuration.