On the Contract Fulfillment tab, map values into the token attribute contract to be included or referenced in the access token.
-
Choose a source from the Source list, and then select a value
from the Value list for each attribute in the contract, or enter
your own.
Map each attribute from one of the following sources:
- Client Credentials, IdP Adapter,
IdP Connection, Password Credential
Validator, or Token Exchange Processor
Policy
Depending on the selections under Context in the Access Token Attribute Mapping tab, you can map attributes from that specific authentication system. Select the corresponding context under Source and the desired attribute under Value.
- Persistent Grant
When selected, the associated Value list is populated with the USER_KEY and extended attributes from the persistent access-token grant.
- Context
Values are returned from the context of the transaction at runtime.
Note:The HTTP Request context value is retrieved as a Java object rather than text. For this reason, OGNL expressions are preferred to evaluate and return values.
Select Expression under Source, and then click Edit to enter an expression.
The HTTP RequestJava object retrieves the authentication method that a client uses, or the private key JWT for client authentication if the client uses the private_key_jwt authentication method.. For sample expressions, see Expressions for OAuth and OpenID Connect uses cases.
If the Expression selection is not available, you can enable it by editing the org.sourceid.common.ExpressionManager.xml file in the <pf_install>/pingfederate/server/default/data/config-store directory.
- Extended Client Metadata
Values are returned from the client record.
- LDAP/JDBC/Other
Values are returned from your datastore, if used. When you make this selection, the Value list populates with attributes from the datastore.
- Expression
When enabled, this option provides more complex mapping capabilities, such as transforming incoming values into different formats. All of the variables available for text entries are also available for expressions.
- No Mapping
This option ignores the Value field, causing no value selection to be necessary.
- Text
The value is what you enter. This can be text only, or you can mix text with references to the USER_KEY using the
${USER_KEY}
syntax.When applicable, you can also enter values from your datastore using the
${ds.attribute}
syntax, whereattribute
is any of the datastore attributes you have selected.Tip:You can reference attribute values in the form of
${attributeName:-defaultValue}
. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use${
and}
in the default value.
- Client Credentials, IdP Adapter,
IdP Connection, Password Credential
Validator, or Token Exchange Processor
Policy
- Click Next.