You can use a filter in PingFederate to query your selected data and retrieve a record associated with it.
On the LDAP Filter window, enter a filter for PingFederate to query the data you selected. The filter is in the form:
attribute1=value1
The left side (attribute1) is an attribute from your directory.
To see a list of attributes, click the View List of Available LDAP Attributes link.
The right side (value1) is the match-against value, generally a variable passed in from either an authentication source for an identity provider (IdP) or an assertion for a service provider (SP). The variables are shown underneath the Filter text field. If you are retrieving attributes from multiple data stores using one mapping, attributes available from other sources, if previously configured, are listed near the bottom of the window.
You can also apply additional search criteria by using other attributes from the target object class.
A filter narrows a search to locate requested data by either including or excluding specific records. A filter includes the attributes in the search and the value or range of values that the search is attempting to match. Searches are conducted by using three components: at least one attribute (attribute data type) on which to search, a search filter operator that will determine what to match, and the value of the attribute being sought.
Example
Suppose you want to locate user records by matching the mail Active
Directory (AD) user attribute against an extended attribute, eml,
in your access token contract for the purpose of mapping attributes to an OpenID Connect
policy. As a passed-in variable from the access token, ${eml}
is shown
underneath the Filter text field.
On the LDAP Filter window, enter the following filter in the Filter text field.
mail=${eml}
-
mail
- An AD user attribute containing the email address of the user
-
${eml}
- The value of the extended attribute (eml) in the access token contract
You must use the ${}
syntax to retrieve the value of the enclosed
variable.