Index | Prev | Next

S A M L Attribute Mapper (saml-SAMLAttributeMapper)

This component configures the SAML Authentication Scheme to map specific SAML attributes to properties in the User Prototype.

During SAML Single Sign On, the SAML Identity Provider (IdP) may send the Service Provider (SP) various attributes. These may contain information about the user, and can be used by the station to build the user object. Many SAML IdPs can be configured to return the attributes with a customized name. However, other IdPs may not be configurable, or IT restrictions may prevent configuring an IdP that supports this feature. It is when the IdP is not configurable that you can use this component to configure the user prototype.

To use the SAMLAttributeMapper, drag it from the saml palette to the SAMLAuthenticationScheme component in the Nav tree.

Figure 19.   Opening the SAML Attribute Mapper
Image

The IdP-provided documentation indicates which SAML attributes are coming in from the IdP. As an alternative, you can install a SAML add-on to your web browser, which lets you view the attributes coming in from the IdP. For example, there is the SAML DevTools extension for Chrome, which you can use.

In some cases, an IdP sends back multiple values for the prototypeName attribute. If the IdP sends back multiple prototypeNames after you install the following patches, the SAMLAuthenticationScheme considers all returned values and extracts the one that appears highest on the list of UserPrototypes. This is similar to how LDAP works.

  • For Niagara:
    • saml-rt-4.x.xx.xx.x
    • saml-wb-4.x.xx.xx.x

User properties that can be mapped from SAML attributes

  • Full Name
  • Expiration
  • Language
  • Email
  • Prototype Name
  • Cell PhoneNumber

The UserPrototype that is associated with the user supplies all other properties.

Default mappings

If no mappings are specified on the SAMLAuthenticationScheme, the following mappings are used.
SAML Attribute Name User Property Extra Information
Full Name fullName Not applicable.
Expiration expiration Format: D-MMM-YY h:mm:ss zz
Language language Not applicable.
Email email Not applicable.
Prototype Name prototypeName Select the CN Only checkbox if the IdP returns multiple values for user prototype.
Cell Phone Number cellPhoneNumber Not applicable.

How attribute mappings are processed

Attribute mappings are processed as follows when a user logs in to the system.

  1. Customized mappings are considered first. If there are multiple mappings to the same property, the first successful mapping is used. For example, if there were two mappings to the "expiration" property, and the first mapping failed to parse properly, the second mapping would be attempted. If the first mapping parsed correctly, the second would be ignored.
  2. Once all customized mappings are processed, the default mappings will be attempted for any User property not yet mapped.
  3. Any property not mapped from a SAML attribute will be pulled from the UserPrototype, if possible.

Related Links

  • Components (Parent Topic)

    • Related Concepts

  • Single Sign On

    • Related Tasks

  • Configuring the SAML Authentication Scheme
  • Logging in with SAML SSO
  • Customizing SAML attribute mapping

    • Related References

  • About the SAML IdP Service
  • SAML Id P Service (saml-SAMLIdPService)
  • Circle of Trust Editor (saml-CircleOfTrust)

    • Index | Prev | Next