Configure identity provider mappers
After creating an identity provider in Access Manager, you can add mappers to it.
Prerequisites
- You have an identity provider created in Access Manager. For details, see Configure SAML/OpenID Connect.
Procedure
On the left side bar, click Identity Providers.
In the list of identity providers, click the identity provider for which you want to add a mapper.
The configuration page related to this identity provider opens.
Click the Mappers tab.
The list of mappers is displayed (if any available).
Click Create.
The Add identity providers mapper pane opens.
- Enter a name for the mapper.
Select a sync mode override option (how the mapper should update user information when the user logs in repeatedly):
legacy — Use the behavior in the previous Access Manager version.
import — Import only data from when the user was first created in Access Manager during the first login to Access Manager with a particular identity provider.
force — Update user data at each user login.
inherit — Use the sync mode configured in the identity provider, all other options will override this sync mode.
Select a mapper type.
Mapper types related to SAMLUse the following table to find the appropriate type for your mapper.
Mapper type Use this mapper to Username Template Importer Format the username to be imported.
Hardcoded User Session Attribute Hardcode a value for a specific user session attribute when the user is imported from the provider. Attribute Importer Import the declared SAML attribute (if it exists in the assertion) into the specified user property or attribute. Hardcoded Role Hardcode a role mapping for the user that is imported from the identity provider. Hardcoded Attribute Hardcode a value for a specific user attribute when the user is imported from the identity provider. SAML Attribute to Role Grant the user the corresponding realm role or application role (if a claim exists). Mapper types related to OpenID ConnectUse the following table to find the appropriate type for your mapper.
Mapper type Use this mapper to Hardcoded User Session Attribute Hardcode a value for a specific user session attribute if the user is imported from the provider. Attribute Importer Import the declared claim, if it exists in ID, access token, or a claim set returned by the user profile endpoint, into the specified user property or attribute. Hardcoded Role Hardcode a role mapping for the user if the user is imported from the provider. Claim to Role Grant the specified realm role or application role to the user if a claim exists. Hardcoded Attribute Hardcode a value for a specific user attribute if the user is imported from the identity provider. Username Template Importer Format the username to be imported. Depending on the mapper type, different settings are required. Complete them as appropriate.
View the settings for the mapper types:
For SAMLFor SAML, the following mapper types are available.
Username Template ImporterUse the following table to find details on the fields needed for this mapper type.
Item Use this item to Template Specify the template for formatting the username that will be imported.
Hardcoded User Session AttributeUse the following table to find details on the fields needed for this mapper type.
Item Use this item to User Session Attribute Specify the name of the user session attribute that you want to hardcode. User Session Attribute Value Specify the value that you want to hardcode. Attribute ImporterUse the following table to find details on the fields needed for this mapper type.
Item Use this item to Attribute Name Specify the name of the attribute for which to search in the assertion. You can leave this field blank and specify Friendly Name instead. Friendly Name Specify the user-friendly name of the attribute for which to search in the assertion. You can leave this field blank and specify the attribute name instead. User Attribute Name Specify the user attribute name for storing the SAML attribute. Use email, lastName, and firstName to map to those predefined user properties. Hardcoded RoleUse the following table to find details on the fields needed for this mapper type.
Item Use this item to Role Specify the role to be granted to the user. To refer to an application role, use the following syntax: appname.approle (for example, myapp.myrole). Hardcoded AttributeUse the following table to find details on the fields needed for this mapper type.
Item Use this item to User Attribute Specify the name of the user attribute to be hardcoded. User Attribute Value Specify the value that you want to hardcode. SAML Attribute to RoleUse the following table to find details on the fields needed for this mapper type.
Item Use this item to Attribute Name Specify the name of the attribute for which to search in the assertion. You can leave this field blank and specify Friendly Name instead. Friendly Name Specify the user-friendly name of the attribute for which to search in the assertion. You can leave this field blank and specify the attribute name instead. Attribute Value Specify the value that the attribute must have. If the attribute is a list, the value must be contained in the list. Role Specify the role to be granted to the user. To refer to an application role, use the following syntax: appname.approle (for example, myapp.myrole). For OpenID ConnectFor OpenID Connect, the following mapper types are available.
Hardcoded User Session AttributeUse the following table to find details on the fields needed for this mapper type.
Item Use this item to User Session Attribute Specify the name of the user session attribute that you want to hardcode. User Session Attribute Value Specify the value that you want to hardcode. Attribute ImporterUse the following table to find details on the fields needed for this mapper type.
Item Use this item to Claim Specify the name of the claim for which to search in the token. You can reference nested claims by using a ‘.’ (for example, ‘address.locality’). User Attribute Name Specify the user attribute name for storing the claim. Use email, lastName, and firstName to map to those predefined user properties. Hardcoded RoleUse the following table to find details on the fields needed for this mapper type.
Item Use this item to Role Specify the role to be granted to the user. To refer to an application role, use the following syntax: appname.approle (for example, myapp.myrole). Claim to RoleUse the following table to find details on the fields needed for this mapper type.
Item Use this item to Claim Specify the name of the claim for which to search in the token. You can reference nested claims by using a ‘.’ (for example, ‘address.locality’). Claim Value Specify the value that the claim must have. If the claim is an array, the value must be contained in the array. Role Specify the role to be granted to the user if a claim exists. To refer to an application role, use the following syntax: appname.approle (for example, myapp.myrole). Hardcoded AttributeUse the following table to find details on the fields needed for this mapper type.
Item Use this item to User Attribute Specify the name of the user attribute to be hardcoded. User Attribute Value Specify the value that you want to hardcode. Username Template ImporterUse the following table to find details on the fields needed for this mapper type.
Item Use this item to Template Specify the template for formatting the username to be imported.
Save your changes.
(Optional) To edit the mapper, in the list of mappers, click its link.
The mapper's configuration pane opens.
Change the settings as needed.
Note: You cannot change the mapper's type. Only the fields specific to that mapper type are editable. To change, the mapper's type, create a new mapper and delete the old one.
Save your changes.
The mapper is configured and added to the list of mappers related to the selected identity provider.
Comments
0 comments