PingFederate Server

Configuring access token mapping

Map your policy contract context to the JWT access token manager.

Steps

  1. Go go Applications → OAuth → Access Token Mappings.

  2. On the Access Token Mappings page in the Context menu, select your policy contract.

  3. In the Access Token Manager menu, select your JWT ATM.

  4. Click Add Mapping.

  5. On the Attribute Sources & User Lookup tab, click Next.

  6. On the Contract Fulfillment tab, select a Source and a Value to map into the admin_role, iss, memberOf, and sub attributes in the Contract list.

    Screen capture of the Contract Fulfillment tab, on which you select a source and a value to map into the admin_role, iss, memberOf, and sub attributes.

    1. For the admin_role attribute, select Expression in the Source menu and, in the Value field, enter the following expression:

      #filter1 = "^pf_admins.",
      #filter2 = "^pf_cryptoadmins.",
      #filter3 = "^pf_useradmins.*",
      #role1 = "admin",
      #role2 = "cryptoadmin",
      #role3 = "useradmin",
      #role4 = "expressionadmin",
      
      #outboundattribute = new java.util.ArrayList(),
      
      #groups = #this.get("apc.memberOf")!=null?#this.get("apc.memberOf").getValues():{},
      
      #i = 0,
      
      #groups.{
      #group = #this,
      #group = new javax.naming.ldap.LdapName(#groups[#i]),
      #cn = #group.getRdn(#group.size() - 1).getValue().toString(),
      
      #cn.matches(#filter1)?#outboundattribute.add(#role1):null,
      #cn.matches(#filter1)?#outboundattribute.add(#role4):null,
      #cn.matches(#filter2)?#outboundattribute.add(#role2):null,
      #cn.matches(#filter3)?#outboundattribute.add(#role3):null,
      
      #i = #i + 1},
      
      #outboundattribute.size() > 0 ? new org.sourceid.saml20.adapter.attribute.AttributeValue(#outboundattribute):null

      This example OGNL expression gets the memberOf value from the policy contract, looks for group distinguished name (DN) that match the filters, and assigns a role when a filter is matched. In the expression, anyone that is in the Admins group is assigned both the Admin and Expression Admin role, because the Expression Admin role requires the Admin role assignment. Using this expression to map roles allows you to control access with groups from your identity provider’s data source. Match your filter values in the expression to the group names created in your LDAP directory to assign those roles.

    2. For the iss attribute, select Text in the Source menu, and enter a text string in the Value field.

      Make a note of the text string. The value entered here is the issuer claim value and should identify the organization as the issuer.

    3. For the memberOf attribute, select Authentication Policy Contract in the Source menu, and memberOf in the Value menu.

    4. For the sub attribute, select Persistent Grant in the Source menu, and USER_KEY in the Value menu.

    5. Click Next.

  7. On the Issuance Criteria tab, click Next.

  8. On the Summary tab, review your mappings. Click Save.