S A M L Attribute Mapper (saml-SAMLAttributeMapper)
This component configures the SAML Authentication Scheme to map specific SAML attributes to properties in the User Prototype.
User properties that can be mapped from SAML attributes
During SAML Single Sign On, the SAML Identity Provider (IdP) may send the Service Provider (SP) various attributes. These may contain information about the user, and can be used by the station to build the user object. Many SAML IdPs can be configured to return the attributes with a customized name. However, other IdPs may not be configurable, or IT restrictions may prevent configuring an IdP that supports this feature. It is when the IdP is not configurable that you can use this component to configure the user prototype.
To use the SAMLAttributeMapper, drag it from the saml palette to the SAMLAuthenticationScheme component in the Nav tree.
The IdP-provided documentation indicates which SAML attributes are coming in from the IdP. As an alternative, you can install a SAML add-on to your web browser, which lets you view the attributes coming in from the IdP. For example, there is the SAML DevTools extension for Chrome, which you can use.
In some cases, an IdP sends back multiple values for the prototypeName attribute. If the IdP sends back multiple prototypeNames after you install the following patches, the SAMLAuthenticationScheme considers all returned values and extracts the one that appears highest on the list of UserPrototypes. This is similar to how LDAP works.
- For Niagara:
saml-rt-4.x.xx.xx.x
saml-wb-4.x.xx.xx.x
Full Name
Expiration
Language
Email
Prototype Name
Cell PhoneNumber
The UserPrototype that is associated with the user supplies all other properties.
Default mappings
If no mappings are specified on the SAMLAuthenticationScheme, the following mappings are used.| SAML Attribute Name | User Property | Extra Information |
|---|---|---|
| Full Name | fullName | Not applicable. |
| Expiration | expiration | Format: D-MMM-YY h:mm:ss zz |
| Language | language | Not applicable. |
| Not applicable. | ||
| Prototype Name | prototypeName | Select the CN Only checkbox if the IdP returns multiple values for user prototype. |
| Cell Phone Number | cellPhoneNumber | Not applicable. |
How attribute mappings are processed
Attribute mappings are processed as follows when a user logs in to the system.
Customized mappings are considered first. If there are multiple mappings to the same property, the first successful mapping is used. For example, if there were two mappings to the "expiration" property, and the first mapping failed to parse properly, the second mapping would be attempted. If the first mapping parsed correctly, the second would be ignored.
Once all customized mappings are processed, the default mappings will be attempted for any User property not yet mapped.
Any property not mapped from a SAML attribute will be pulled from the UserPrototype, if possible.