Extending the Single Sign-On Connector

The Identity Provider sends a list of key value pairs as claims. Common attributes have been added to the connector, however, this list is not exhaustive.

You may wish to add additional attributes. The ICNF file for the connector is configured with a basic fieldset which makes those claims available in the ASM resource mapping for Field Matching.

<fieldSets>
<fieldSet xsi:type="mappedFieldSet" fieldSetID="UserProperties" queryID="TheRow">

<field xsi:type="mappedField" fieldID="Email Address" fieldDisplay="Email Address" dataType="string" select="Email Address" />

<field xsi:type="mappedField" fieldID="User Name" fieldDisplay="User Name" dataType="string" select="User Name" />

<field xsi:type="mappedField" fieldID="First Name" fieldDisplay="First Name" dataType="string" select="First Name" />

<field xsi:type="mappedField" fieldID="Surname" fieldDisplay="Surname" dataType="string" select="Surname" />

<field xsi:type="mappedField" fieldID="Member Of" fieldDisplay="Member Of" dataType="string" select="Member Of" />

<field xsi:type="mappedField" fieldID="User Principal Name" fieldDisplay="User Principal Name" dataType="string" select="User Principal Name" />

<field xsi:type="mappedField" fieldID="Account Name" fieldDisplay="Account Name" dataType="string" select="Account Name" />

<field xsi:type="mappedField" fieldID="Company" fieldDisplay="Company" dataType="string" select="Company" />

</fieldSet>
</fieldSets>

fieldID in the mappedField corresponds to the name of the claim.

The claim names are user defined, although ADFS uses some standardised names by default.

Given Name in ADFS is sent as

 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Some of these names are mapped in code to a more user friendly value:

Dictionary<string, string> claimTypeAliases = new Dictionary<string, string>
        {
            { ClaimTypes.Email, InternalClaimTypes.EmailAddress },
            { GlobalClaimTypes.EmailAddress, InternalClaimTypes.EmailAddress },
            { ClaimTypes.GivenName, InternalClaimTypes.FirstName },
            { ClaimTypes.Surname, InternalClaimTypes.Surname },
            { GlobalClaimTypes.MemberOf, InternalClaimTypes.MemberOf }
        };
        static class GlobalClaimTypes
        {
            public const string EmailAddress = "
http://schemas.xmlsoap.org/claims/EmailAddress
";
            public const string MemberOf = "
http://schemas.xmlsoap.org/claims/Group
";
        }
        static class InternalClaimTypes
        {
            public const string UserName = "User Name";
            public const string FirstName = "First Name";
            public const string Surname = "Surname";
            public const string EmailAddress = "Email Address";
            public const string MemberOf = "Member Of";
        }

SAML supports free text definition of key names for claims (Outgoing Claim Types)

All Claims are included in the standard ASM Diagnostic Tracing to assist with troubleshooting issues.

Adding New Claims to the ICNF File

Additional claims can be defined by the Identity Provider. To make them available to the connector, those claims must be added to the ICNF File.

To add support for a custom claim, you simply need to add a new field to the existing fieldSet.

<field xsi:type="mappedField" fieldID="Custom Claim Name" fieldDisplay="The name to display in the resource mapping drop down" dataType="string" select="Custom Claim Name" />

Each SAML claim can define one or more values. E.g. a user could have multiple Email Addresses.

In this case, the claim values are received as a list. This list is then converted to a semi-colon separated string.

a.user@alembagroup.com;auser@alembagroup.com

This value can then be parsed in the Resource Mapping by using a Transform.

Copyright 2023 Alemba, ASM EOS 10.4