Federation transactions require, at a minimum, the transmission of a unique piece of information, such as an email address, that identifies the user for identity mapping between security domains.
In addition to attributes used for identity mapping, the identity provider (IdP) can pass other user attributes in an assertion, including SAML tokens for web services. The service provider (SP) uses this supplemental information for several purposes. For example, the SP can use attributes to map and authorize the user into a specific role with associated site permissions or to customize the end application display for a more robust user experience.
The SP can also incorporate additional attributes prior to creating a session for the target application. This is common where the SP also maintains an account for the user and wants additional information for profiling or access-policy purposes.
Attributes must be carefully managed between IdPs and SPs. PingFederate facilitates the process by providing configuration steps that enable administrators to:
- Define and enforce attribute_contract for each partner connection.
- Define and retrieve attributes from the IdP adapter, authentication policy contracts, or security token service (STS) token processor to populate an attribute contract directly or use these attributes to look up additional attributes in IdP data stores.
- Define and enforce a set of required attributes needed by SP adapters or STS token generators to interface local systems or applications.
- Set up connections to local data stores.
- Configure specific attribute sources and lookups based on the data stores and map attributes into IdP assertions or into SP adapters or token generators used to interface target applications.
- Selectively mask attribute values recorded in transaction logs.