Mapping SAML 2.0 Attributes

Use

The Security Assertion Markup Language (SAML) 2.0 assertion should include all the attributes you need for the user in the service provider. Exactly what is transported is a matter of negotiation between you and the operator of the identity provider. The identity provider sends the attributes as attribute=value pairs. You need to know the name of the SAML 2.0 attribute and what kind of value it carries so you can map it to user attributes in AS Java. If the SAML 2.0 assertion includes all the required attributes, the service provider creates a user in memory and populates the mapped profile attributes with values. Use this procedure to define how this mapping defines users and their access rights.

Prerequisites

You have configured the service provider to trust an identity provider and to use the federation type Persistent Users (Advanced) orthe federation type Virtual Users .

For more information, see:

Configuring Federation Type Persistent Users (Advanced)

Configuring Federation Type Virtual Users
You have negotiated with the administrator of the identity provider to determine which SAML 2.0 attributes you can expect to receive.
You have created any custom attributes you need on the service provider.

For more information, see Adding Custom User Attributes for SAML .
You have selected the Update attributes, roles, and groups at login checkbox.

Procedure

You can configure the following:

Default user attributes
Assertion-based user attribute mappings
Assertion-based role and group assignments
Default user role and group assignments

Assigning Default User Attributes

Default user attributes are always assigned to users once the SAML authentication is successful.

On the Default User Attributes tab, choose the Add pushbutton.
Select a user attribute from the list of predefined user attributes.
Enter the value for the attribute.
Choose OK .
Add additional attributes as needed.
Save your entries.

Assigning Assertion-Based User Attributes

On the Assertion-Based User Attributes tab, choose the Add pushbutton.

Enter the following data:

Parameter	Entry
SAML2 Attribute	Name of the attribute as sent by the identity provider in the SAML 2.0 assertion.
User Attribute	Name of the AS Java user attribute. Choose from the predefined user attributes list.
Is Mandatory	If you want the service provider to require this attribute (reject the SAML assertion if this attribute is missing), select this option.

Add additional attributes as needed.
Save your entries.

Assigning Assertion-Based User Roles and Groups

SAML 2.0 attributes can also carry information about role or group membership. Based on the value of a SAML 2.0 attribute, the service provider can assign groups or roles to a user. In this way, the administrator of the identity provider can determine the access rights of the users, from the roles and groups you provide.

On the Assertion-Based User Roles tab or the Assertion-Based User Groups tab, choose the Add pushbutton.
Choose the Modify pushbutton
Choose the Add pushbutton.

Enter the following data:

Parameter	Entry
SAML2 Attribute	Name of the attribute sent by the identity provider carrying the role or group membership information.
Value	Enter the value to map to specific roles or groups.

Choose the Browse pushbutton.
Search for the role or roles or the group or groups to assign to the user when the assertion includes the SAML 2.0 attribute with the defined value.
Save your entries.

Assigning Default User Roles and Groups

You can assign roles and groups to which all users belong by default. These are in addition to the built-in groups Everyone, Anonymous Users, and Authenticated Users, and any roles assigned to these built-in groups. In this way, you can determine what access rights all users are granted by default.

On the Default User Roles tab or the Default User Groups tab, choose the Modify pushbutton.
Search for groups or roles and choose the Add pushbutton.
Save your entries.

More Information

Example of Transient Federation