PingOne

Built-in attributes

The Trust Framework provides built-in attributes that enable you to use PingOne service and user profile data right out of the box.

Built-in attributes are nested under the PingOne parent attribute on the Attributes tab. PingOne Authorize owns the PingOne parent attribute and its children.

The Shield (pab1683047811271) icon indicates that these attributes are system-owned and editing restrictions apply. You can’t move, update, or delete these attributes. You can’t nest your own attributes under the PingOne and user ID attributes. This ensures that built-in attributes are configured correctly and always available.

User attributes

Built-in User attributes model user identity information for use in other attributes and directly in policies. You can nest your own attributes under the User attribute.

  • To use built-in user attributes, make sure that the PingOne SSO service is enabled in your environment. This provides access to user profile information in the PingOne Directory.

  • These attributes resolve identities stored in the PingOne Directory and do not access user information in external identity stores. If you’re using an external identity store, create your own user attributes that resolve against your identity store.

  • When you run test scenarios for these attributes on the Test tab, use the PingOne User field to simulate a request from any user in the current environment.

Screen capture of the Attributes tab in the PingOne Authorize Trust Framework showing the User and ID attributes nested under the PingOne parent attribute.

The following built-in user attributes resolve from the userContext.userId property of the decision request. These attributes are derived from properties of the PingOne user object. Learn more about the user object in Users data model.

Attribute Data Type Description

User

JSON

The PingOne.User attribute returns a JSON object that provides data about the identity requesting access to a resource.

This attribute retrieves the PingOne user object through the /environments/{envID}/users/{userID} endpoint.

Learn more about the PingOne User resolver in Resolvers.

ID

String

The PingOne.User.ID attribute returns the ID of the identity requesting access to a resource.

Learn more about the PingOne User ID resolver in Resolvers.

email

String

The PingOne.User.email attribute returns the email address of the identity requesting access to a resource.

This attribute uses a JSON Path processor to extract the user’s email address from the PingOne.User attribute.

name

JSON

The PingOne.User.name attribute returns a JSON object that provides the name schema for the identity requesting access to a resource.

This attribute uses a JSON Path processor to extract the user’s name information from the PingOne.User attribute. As an example, consider a user called Gregory Eric Jones whose father has the same name.

family

String

The PingOne.User.family attribute returns the last name of the identity requesting access to a resource.

This attribute uses a JSON Path processor to extract the user’s last name, for example Jones, from the PingOne.User.name attribute.

formatted

String

The PingOne.User.formatted attribute returns the fully formatted name of the identity requesting access to a resource.

This attribute uses a JSON Path processor to extract the user’s formatted name, for example Mr. Gregory E. Jones, II, from the PingOne.User.name attribute.

given

String

The PingOne.User.given attribute returns the first name of the identity requesting access to a resource.

This attribute uses a JSON Path processor to extract the user’s first name, for example Gregory, from the PingOne.User.name attribute.

primaryPhone

String

The PingOne.User.primaryPhone attribute returns the main phone number of the identity requesting access to a resource.

This attribute uses a JSON Path processor to extract the user’s phone number from the PingOne.User attribute.

username

String

The PingOne.User.username attribute returns the username of the identity requesting access to a resource.

This attribute uses a JSON Path processor to extract the username from the PingOne.User attribute.

Built-in user attributes comprise a subset of the standard and core PingOne user attributes available in Directory > User Attributes. You can generate attributes in PingOne Authorize for standard, core, and custom PingOne user attributes that are not already built-in, and use them in conditions, processors, and rules.

Screen capture showing User attributes that you can generate in a gray font.

Changes made to PingOne user attributes, such as deleting an attribute or changing a custom attribute’s description, do not affect the corresponding built-in or generated user attributes in PingOne Authorize, as long as they are in use. Deleting a PingOne user attribute deletes the corresponding attribute in PingOne Authorize if the attribute has no dependencies.

Changes made to built-in user attributes in PingOne Authorize do not affect the corresponding PingOne user attributes. For example, changing the name of the built-in email attribute to emailAddress in PingOne Authorize doesn’t change the name of the associated PingOne email user attribute. The PingOne Authorize emailAddressattribute will continue to work as usual to resolve the user’s email address.

API Access Management attributes

API Access Management attributes model API services and operations, HTTP requests and responses, and access tokens. PingOne Authorize generates these attributes when you enable custom policies for an API service.

Screen capture of the Attributes tab in the PingOne Authorize Trust Framework showing API Access Management attributes nested under the PingOne parent attribute.

Creating attributes from built-in attributes

You can derive your own attributes from built-in API Access Management attributes, as shown in the following examples:

Custom access token claim attribute

In the following attribute, a value processor is used to resolve a custom claim called title from the built-in PingOne.API Access Management.Identity.Access Token attribute. To ensure that a token without the custom claim is resolved successfully, the attribute has an empty string as its default value. In this example, the claim’s JSON data type is String. Access token claims can have other data types, including Number and Collection.

Screen capture showing an Access Token attribute resolver and a JSON Path value processor that work together to extract the custom Title claim from the access token.

HTTP request header attribute

To allow policy authors to use a custom header in policies, you can define an attribute that extracts a custom header value from an HTTP request or response. In the following attribute, a value processor is used to resolve the X-Shared-Secret value from the built-in PingOne.API Access Management.HTTP.Request.Headers attribute as a collection. To ensure that a header without the custom value is resolved successfully, the attribute has an empty collection as its default value.

Screen capture showing a Request Headers attribute resolver and a JSON Path value processor that work together to extract a custom header value.

API operation path parameters

If an API operation path includes a parameter, you can define an attribute that allows policy authors to use the parameter in custom policies. For example, the following attribute extracts the user ID from a decision request that matches an API operation defined with the path /records/user/{userId}. For information about using this attribute in a policy, see Adding custom policies for API services and operations.

Screen capture showing a resolver for the API Access Management Path Parameters attribute working with a JSON Path processor to extract the user ID from the decision request URL.

Step-up authentication attributes

The following attributes are used in basic access control rules for step-up authentication. You can also use them in custom policies. PingOne Authorize generates these attributes when you deploy an API service.

Attribute Data Type Description

Authentication Age

Number

The API Access Management.Identity.Access Token.Authentication Age attribute returns the number of seconds since the end user was authenticated.

This attribute uses the System Current DateTime resolver and a SpEL processor to calculate the number of seconds since the Authentication Time.

Authentication Policy

String

The API Access Management.Identity.Access Token.Authentication Policy attribute returns the authentication policy that was satisfied when the access token was issued. An authentication policy is also called an authentication context class reference (ACR).

If the access token contains an acr claim, this attribute uses a JSON Path processor to extract the acr value from the API Access Management.Identity.Access Token attribute.

Authentication Time

Zoned Date Time

The API Access Management.Identity.Access Token.Authentication Time attribute returns the date and time when the end user was authenticated.

If the access token contains an auth_time claim, this attribute uses a JSON Path processor to extract the date and time from the API Access Management.Identity.Access Token attribute. If the claim is missing from the token, the default value is January 1, 1970.