Configuring attribute mapping on Ping Identity

Last Updated : Jun 05, 2026 |

About this task

To authenticate a user, Ping Identity sends an authentication response to Keycloak containing various user attributes, such as the first name, last name, phone number, or email address. Keycloak then maps this user information to the attributes of the access token that is generated and sent back to clients. Use this procedure to specify Keycloak attribute names on Ping Identity.

Procedure

  1. Log in to the PingOne console as the administrator.
  2. Navigate to Connection.
  3. Select your SAML v2.0 application.
  4. Select Attribute mapping and then select Edit.
  5. Configure attribute mapping as follows:

    PingOne user attribute

    Application attribute

    Required

    Username

    saml_subject

    Required

    Population ID

    Group

    Required

    Email Address

    email

    Required

    Given Name

    firstName

    Required

    Family Name

    lastName

    Required

    The following image displays configured attribute mapping on Ping Identity:

  6. Click Save.