Forum Discussion
Squeak_117117
Nimbostratus
NimbostratusMap SAML variable value to a specific user attribute.
Hello,
I´m currently working on a setup that the users have to authenticate with external SAML IDP to access a webtop with some Portal access resources.
The problem I´m facing are that I have to map a SAML variable that I receive from the external IDP with a user attribute from the local AD.
My VPE looks like this.
SAML auth -> Variable assign -> AD query -> SSO
The Variable assign converts the SAML variable to session.logon.last.username.
My question are how do I map the SAML variable value to a specific user in the AD?
Thanks in advance.
Not sure if this is an answer to your question, but with the Variable Assign agent you will fill the
session variable with the content of asession.logon.last.username
session variable, for examplesession.saml
. Then you will use the AD Query agent to perform an AD query likesession.saml.last.identity
and fetch the AD attributes you need for this user.(sAMAccountName=%{session.logon.last.username})It could also be that the IDP sends the e-mail address of the user, and you'll need to do a query on the AD using the e-mail address, to resolve the SAMAccountName. Either way you'll need some unique identifier that the IDP passes as an SAML attribute that helps you identify the user in your AD.
SajidCirrostratus
In version 12.1.2
Access Policy > SAML > Local IdP Services >
select your IdP Service and edit
Under Edit IdP Service > SAML Attributes
Click on Add
Name of the SAML attribute
Under Attribute Value (s) click Add and entry AD attribute value as
%{session.logon.last.logonname} as an example
Click OK
