---
title: NameID mapper
description: Use a NameID mapper script to customize the value of the NameID attribute returned in the SAML assertion per SP.
component: pingoneaic
page_id: pingoneaic:am-saml2:custom-nameid-mapper
canonical_url: https://docs.pingidentity.com/pingoneaic/am-saml2/custom-nameid-mapper.html
keywords: ["SAML 2.0", "Single Sign-on (SSO)", "Federation", "Customization", "Java", "Scripts"]
page_aliases: ["release-notes:rapid-channel/custom-nameid-mapper.adoc"]
section_ids:
  demo-nameid-mapper: Demonstrate a NameID adapter
  create-nameid-mapper: Create the script
  configure-nameid-mapper: Configure the remote SP
  try-nameid-mapper: Test the script
---

# NameID mapper

Use a NameID mapper script to customize the value of the NameID attribute returned in the SAML assertion per SP.

* Next-generation example script

  [SAML2 NameID Mapper Script](../am-scripting/sample-scripts.html#saml2-nameid-mapper-js)

* Script bindings

  [NameID mapper scripting API](../am-scripting/saml2-nameid-mapper-api.html)

## Demonstrate a NameID adapter

Before you try the example, configure single sign-on using SAML 2.0 with Advanced Identity Cloud as the hosted IDP.

The following example modifies the NameID attribute in the assertion on the remote SP:

* [Create the script](#create-nameid-mapper)

* [Configure the remote SP](#configure-nameid-mapper)

* [Test the script](#try-nameid-mapper)

### Create the script

1. In the Advanced Identity Cloud admin console, [create a script](../developer-docs/scripting-auth.html#create-a-new-auth-script) of type SAML2 NameID Mapper.

   |   |                                                                                                                 |
   | - | --------------------------------------------------------------------------------------------------------------- |
   |   | The NameID mapper script type is a [next-generation script](../am-scripting/next-generation-scripts.html) only. |

2. In the JavaScript field, write a script to set a custom value for the NameID attribute. For example, the following script replaces instances of `.com` with `.org` in a user's email address. Alternatively, uncomment the call to `getIdentityNameID` to set NameID to the user's first and last name.

   ```javascript
   /*
    * Retrieve nameID value from Java plugin and modify
   */
   function getModifiedNameID() {
     var nameIDValue = nameIDScriptHelper.getNameIDValue();

     if (nameIDValue.includes(".com")) {
         return nameIDValue.replace(".com", ".org");
     }
     return nameIDValue;
   }

   /*
    * Use identity binding to gather attributes
   */
   function getIdentityNameID() {
     var givenName = identity.getAttributeValues("givenName")[0];
     var lastName = identity.getAttributeValues("sn")[0];

     return givenName + "_" + lastName;
   }

   getModifiedNameID();
   //getIdentityNameID();
   ```

3. Save your changes and close the editor.

### Configure the remote SP

1. In the Advanced Identity Cloud admin console, go to Applications > *SAML App Name* > Sign On and click Show advanced settings.

2. In Application Username, select Custom.

3. Select your script from the NameId Script list.

4. Save your changes.

### Test the script

1. Test your changes using an SP-initiated flow.

2. Verify that the SAML 2.0 assertion shows an updated value, for example:

   ```xml
   <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                NameQualifier="idp"
                SPNameQualifier="sp">bjensen@example.org</saml:NameID>
   ```