Modify a Single Sign On Claim Using Static Text with a Formatted String

Owned by Stephen Call (Deactivated)
Last updated: Nov 10, 2021

Problem

Your want to modify an attribute to create a customized claim for use with Single Sign-On

Solution 

Use a 'Formatted String' to add static text to attributes that will be pulled from a User Repository. 

Important Note: The 'Formatted String' option is only available for LDAP-Based user repositories

  1. Navigate to the PortalGuard server and open the Identity Provider Configuration Editor.

  2. Navigate to the SAML Websites tab and edit the Relying Party that needs a claim for Group information.

  3. Navigate to the Identity Claims tab.

  4. Click on the 'Create' button to create a new claim

  5. Define a name for this claim in the 'Name' field.

    • This value will only be used as a reference point in the Identity Provider Configuration Editor and is NOT sent alongside the Claim during SSO.

  6. The 'Schema Type' corresponds to the attribute 'Name' value that the SP is looking for. 

    • Oftentimes, the SP will require the claim to be sent with an attribute 'Name' formatted with 'urn...'

    • If you are unsure, click the 'Pre-defined Types' button and choose an option from the dropdown.

  7. The 'Value Type' will be set to 'Formatted String'.

  8. Under the Formatted sub-tab, input the structure the claim should follow.

    • For this example, we will be sending the sAMAccountName from AD with a static 'scope'.  This claim will resemble an email address, but will not actually match the user's email address (otherwise, we would use a standard claim to send the 'mail' attribute).  

      • This example is useful when claims need to be scoped for a Service Provide, but the 'Formatted String' can be used to configure many different variations on standard claims as needed.

    • All attributes to be pulled from LDAP should be encased in square brackets (i.e. [sAMAccountNAme]).

    • If the LDAP Field is multi-valued, only the initial value will be used.

  9. Your final result should resemble the following:

  10. Save the new claim. 

  11. Save the Relying Party Configuration.

  12. From the main screen of the Identity Provider Configuration Editor, click the 'Apply to Identity Provider' button. 

  13. Click the 'Sync' button.