---
title: IdP attribute mapper
description: Use an IdP attribute mapper script to map user-configured attributes to SAML attributes in the generated SAML assertion.
component: pingoneaic
page_id: pingoneaic:am-saml2:custom-idp-attribute-mapper
canonical_url: https://docs.pingidentity.com/pingoneaic/am-saml2/custom-idp-attribute-mapper.html
keywords: ["SAML 2.0", "Single Sign-on (SSO)", "Federation", "Scripts"]
page_aliases: ["saml2-guide:plugins-idp-attribute-mapper.adoc", "plugins-idp-attribute-mapper.adoc"]
section_ids:
example-idp-attribute-mapper: Modify SAML attributes using a legacy script
create-idp-attr-mapper: Create the script
use-idp-attr-mapper: Configure the IdP
try-idp-attr-mapper: Test the script
example-idp-attribute-mapper-nextgen: Update username with a next-generation script
create-idp-attr-mapper-ng: Create the script
use-idp-attr-mapper-ng: Configure the IdP
try-idp-attr-mapper-ng: Test the script
---
# IdP attribute mapper
Use an IdP attribute mapper script to map user-configured attributes to SAML attributes in the generated SAML assertion.
The default implementation retrieves the mapped attribute values from the user profile first. If the attribute values are missing from the user's profile, then Advanced Identity Cloud attempts to retrieve them from the authenticated session.
* Next-generation example script
[SAML2 IDP Attribute Mapper Script (Next Gen)](../am-scripting/sample-scripts.html#saml2-idp-attribute-mapper-next-gen-js)
* Legacy example script
[SAML2 IDP Attribute Mapper Script](../am-scripting/sample-scripts.html#saml2-idp-attribute-mapper-js)
* Script bindings
[IdP attribute mapper scripting API](../am-scripting/saml2-idp-attribute-mapper-api.html)
## Modify SAML attributes using a legacy script
Before you try the example, configure SSO using SAML 2.0 with Advanced Identity Cloud as the hosted IdP.
The following example modifies the SAML attributes in the assertion returned by the IdP:
* [Create the script](#create-idp-attr-mapper)
* [Configure the IdP](#use-idp-attr-mapper)
* [Test the script](#try-idp-attr-mapper)
### Create the script
1. In the Advanced Identity Cloud admin console, [create a script](../developer-docs/scripting-auth.html#create-a-new-auth-script) of type SAML2 IDP Attribute Mapper.
2. In the JavaScript field, paste the template [SAML2 IDP Attribute Mapper Script](../am-scripting/sample-scripts.html#saml2-idp-attribute-mapper-js).
3. Insert one of the following example code snippets just before `return attributes;` around line 150 to return a custom static attribute:
* Add a static single-value attribute:
```javascript
var customSet = new java.util.HashSet();
customSet.add("test");
attributes.add(
idpAttributeMapperScriptHelper.createSAMLAttribute(
"customSAMLAttribute", null, customSet));
```
* Add a static multi-value attribute:
```javascript
var customSet = new java.util.HashSet();
var attributes = new java.util.ArrayList();
customSet.add("test1");
customSet.add("test2");
customSet.add("test3");
attributes.add(
idpAttributeMapperScriptHelper.createSAMLAttribute(
"customMultiValueAttribute", null, customSet));
```
4. Save your changes and close the editor.
### Configure the IdP
1. Under Native Consoles > Access Management, go to Applications > Federation > Entity Providers > *Hosted IDP Name* > Assertion Processing.
2. In the Attribute Mapper Script field, select your custom script.
3. Save your changes.
### Test the script
1. Perform a SAML 2.0 flow.
2. Verify the `AttributeStatement` element in the SAML assertion contains the custom attribute.
* Example single-value attribute assertion:
```xml
test
```
* Example multi-value attribute assertion:
```xml
test1
test2
test3
```
## Update username with a next-generation script
Before you try the example, configure SSO using SAML 2.0 with Advanced Identity Cloud as the hosted IdP.
The following example updates the username to uppercase in the assertion returned by the IdP:
* [Create the script](#create-idp-attr-mapper-ng)
* [Configure the IdP](#use-idp-attr-mapper-ng)
* [Test the script](#try-idp-attr-mapper-ng)
### Create the script
1. Under Native Consoles > Access Management, go to Realms > *Realm Name* > Scripts, and click +New Script.
2. Provide a suitable name for your script and select the following values:
* Script Type
`Saml2 IDP Attribute Mapper`
* Evaluator Version
`Next Generation`
3. Click Create.
4. In the Script field, add the following script:
```javascript
// returns the list of attributes for the current session
var attributes = idpAttributeMapperScriptHelper.getStandardAttributes();
for (var attr of attributes) {
if (attr.name === "username") {
var upperCaseValues = [];
for (var val of attr.values) {
upperCaseValues.push(val.toUpperCase());
}
attr.values = upperCaseValues;
}
}
// return the modified list of attributes
attributes;
```
| | |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| | Always make sure the last line of your script is the list of the attributes to return. It must be in the following format:```json
[
{
"name:": "...",
"nameFormat": "...",
"values": ["..."]
},
...
]
``` |
5. Validate and save your changes.
### Configure the IdP
1. Configure Advanced Identity Cloud to use the updated IdP attribute mapper script:
1. Go to Applications > Federation > Entity Providers > *hosted IdP* > Assertion Processing.
2. Select your custom next-generation script from the Attribute Mapper Script list.
2. Map the required attributes:
1. Add the following mapping to the Attribute Map:
* SAML Attribute
`username`
* Local Attribute
`uid`
3. Save your changes.
### Test the script
1. Test your changes using an SP-initiated flow.
2. Verify that the SAML assertion contains the updated `username` value. For example:
```xml
BJENSEN
```
| | |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| | If you run an [SP-initiated SSO integrated mode flow](saml2-integrated-mode.html#spinit-sso-integrated-mode), you can include a Scripted Decision node to output the assertion value using the `samlApplication` binding.Learn more in [Query SAML application and authentication request](../am-scripting/scripting-api-node.html#samlapp-binding). |