You can configure the identity hint contract, which contains the set of attributes received in the client initiated backchannel authentication (CIBA) request that identifies the user.
IDENTITY_HINT_SUBJECT is a core attribute and is automatically populated by the sub attribute of an identity hint token, if found, or the attribute value of the login_hint request attribute.
A client can send an ID token, id_token_hint, or a login hint token, login_hint_token, as the identity hint token. If you extend the identity hint contract with attribute names from the identity token, PingFederate fulfills them with values found in the identity token.
As needed, all attributes can optionally be fulfilled differently on the Identity Hint Contract Fulfillment tab.
Example
Suppose the following JSON web token (JWT) matches the expected structure of the login hint tokens.
{
"sub": "asmith",
"attrs": {
"mail": "asmith@example.com",
"phone": "555-555-5555"
}
}
To add both the mail and phone attributes,
extend the contract with login_hint_token.attrs.mail
and
login_hint_token.attrs.phone
, respectively.