How to Use Simple SSO Claims within PG IDaaS

Owned by Christopher R. Perry
Last updated: May 24, 2022
2 min read

Problem

You need to configure the Identity Claims for a Single Sign-On Relying Party configuration using the PG IDaaS Admin Panel.

Solution

Utilize the simplified claim placeholders alongside the “Formatted String” Value Type.

Available Claim Placeholders

Composite Value Format

Mapped Value (Data to be Sent)*

Composite Value Format

Mapped Value (Data to be Sent)*

[LOGONNAME]

The username used during the login.

  • (e.g. sAMAccountName or email/UPN)

[USERNAME]

The Username for the User.

  • AD Field: sAMAccountName

[FIRSTNAME]

The User’s First Name.

  • AD Field: GivenName

[LASTNAME]

The User’s Last Name

  • AD Field: sn

[DSPNAME]

The User’s Display Name.

  • AD Field: displayName

[CN]

  • AD Field: CN

[EMAIL]

The user’s email address.

  • AD Field: mail

[UPN]

  • AD Field: UserPrincipalName

[SID]

  • AD Field: SID (in Plain Text)

[GUID]

  • AD Field: objectGUID (base64-encoded

[DN]

  • AD Field: distinguishedName

[GROUPS]

The full distinguishedName of each synchronized group from AD of which the user is a member.

  • Added within a single claim as individual attribute values.

[GROUPS_CN]

The Common Name only of each synchronized group from AD of which the user is a member.

[EMAIL_PREFIX]

Everything before the ‘@' symbol in the user’s Email Address.

  • AD Field: mail

[EMAIL_SUFFIX]

Everything after the ‘@' symbol in the user’s Email Address (e.g. the Domain).

  • Ad Field: mail

[EMPLOYEEID] 

  • AD Field: employeeID

[EMPLOYEENUMBER] 

  • AD Field: employeeNumber

[CONSITENCYGUID] 

  • AD Field: mS-DS-ConsistencyGuid

    • Primarily utilized for O365 SSO.

* This Mapped Value is specific to Active Directory integrations. For information regarding Open LDAP integrations, please contact technical support.

 

Custom Attributes

In PG IDaaS v6.5.2.4 or later, Custom Attributes can be utilized by taking advantage of the Attribute Synchronization feature on the local PG Connect Machine.

Once defined, Custom Attributes can be referenced using the same Claim Placeholder format defined above. However, the value in between the brackets will be the AD attribute name.

EXAMPLE: If you are configured to synchronize the ‘mobile’, ‘description’, and ‘title’ fields in Active Directory, you may reference each of those fields as an SSO claim using:

[mobile]

[description]

[title]

Steps for Configuring an Identity Claim using Simplified Claim Placeholders

  1. Navigate to the Admin Panel and click on ‘Single Sign On’.

  2. Select the SSO relying party to update with a Simplified Claim.

  3. Navigate to the ‘Identity Claims’ section:

  4. Under the ‘Claims’ section either click the ‘Add’ button or select an existing claim and click the ‘Edit’ buttons.

  5. In the following popup, complete the form as outlined below:

    1. Name: Internal name of the claim.

    2. Send as NameID?: Check only if this claim should be a NameID.

    3. Schema Type: The resultant ‘name' value of the xml attribute.

    4. Value Type: Formatted String

    5. Convert Case: (No Change)

    6. Composite Value Format: Use a bracketed placeholder as defined in the sections above.

  6. Scroll down and click ‘Save Identity Claim’

  7. Finish any other edits to the Relying Party configuration and then ‘submit’.

  8. Apply for staging and rollout when ready.

    1. Important note: Always perform a ‘Zero Downtime Rollout' in order to minimize downtime.