Creating advanced attribute mappings
Advanced attribute mappings allow you to customize attributes for specific applications or identity providers (IdPs).
About this task
Advanced attribute mapping is not available for PingOne for Enterprise Directory. |
Advanced attribute mapping mode enables you to modify the mapping of an identity repository attribute to a service provider’s (SP) application attribute or to assign more than one identity repository attribute to an application attribute so that the needed attribute can be used without altering the existing mapping.
Use advanced attribute mapping when you:
-
Customize PingOne dock settings, and you want to change one or more of the default attributes used by the identity bridge.
-
Add a cloud application for your single sign-on (SSO) users, and one or more of the attributes for the application are different than the attributes used by the identity bridge.
In both cases, if the standard available attributes don’t meet your needs, use advanced mode to customize an attribute.
Steps
-
On the Attribute Mapping tab for any application you are editing, click Advanced on the line of the attribute you want to map.
-
Optional: For SAML_SUBJECT, configure the Name ID Format.
Setting Available Values Name ID Format to request from IdP
-
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
-
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
-
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
-
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
-
urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified
-
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
-
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
-
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
-
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
Name ID Format to send to SP
-
-
Optional: For all other attributes, configure the NameFormat.
Setting Available Values NameFormat
-
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
-
urn:oasis:names:tc:SAML:2.0:attrname-format:uri
-
urn:oasis:names:tc:SAML:2.0:attrname-format:basic
-
-
Optional: For all attributes, apply advanced attribute mappings.
Choose from:
-
In the IDP Attribute Name or Literal Value list, enter or select an attribute value.
-
Select the As Literal check box and enter a literal value to assign as an attribute.
-
For attributes that aren’t literal values, select a transformation to apply to an attribute in the Function drop-down list. The following transformation functions are available.
Function Description Base64Decode
Decode the source value.
Returns a null result if the source value isn’t a valid Base64 encoding.
Base64Encode
Encode the source value.
ExtractByRegularExpression
Apply a regular expression to the attribute values. Any portion of a value that matches the regular expression is assigned to the attribute.
For example, an incoming assertion uses
memberOf
, and you want only groups that match a specified list sent in the outgoing assertion. Assume the groups you want are A, B, C and D, and the incoming assertion contains the groups A, B, E, F in thememberOf
attribute. In this case, your regular expression extracts only the group A and B values.FilterByRegularExpression
Apply a regular expression to the attribute values. Only values that match the regular expression are assigned to the attribute.
For example, if you want the resulting values to start with 'A' or 'b', use the regular expression
[Ab].*
.GetDomainPartFromEmail
Get the domain part from an email string.
For example, get foo.com from
bob.smith@foo.com
.GetFirstRelativeDN
Get the first relative distinguished name (DN) from a DN string.
For example, get Bob Smith from
CN=Bob Smith
,OU=Sales
,DC=Fabrikam
,DC=com
.GetLocalPartFromEmail
Get the local part from an email string.
For example, get bob.smith from
bob.smith@foo.com
Hash
Apply a hashing algorithm to the attribute value. You select the algorithm and the encoding format in the Hashing Algorithm and Encoding Format lists.
Hashing Algorithm options:
-
MD5
-
SHA-1
-
SHA-256
Encoding Format options:
-
hex
-
Base64
PickByFieldsFrom JsonList
Pick the field values from a multivalued attribute that match the condition you specify. Each field value is a JSON object.
PickPrimaryObjectByTypeFromJsonList
Pick the JSON objects in the list that have a
primary
value of true, and atype
value equal to the condition value.If you don’t specify a condition, the
type
value is ignored and all matchingprimary
value objects are returned.PickPrimaryValueByTypeFromJsonList
Pick the JSON objects'
value
field values in the list, where the objects'primary
value is true and thetype
value matches the condition value.If you don’t specify a condition, the
type
value is ignored and all matchingprimary
value objects are returned.Random
Assign a random value to the attribute. You must supply the character length to use.
You can also apply a hashing algorithm and encoding format to the random value.
Hashing Algorithm options:
-
None
-
MD5
-
SHA-1
-
SHA-256
Encoding Format options:
-
None
-
hex
-
Base64
ToLowerCase
Change all characters to lower case.
ToUpperCase
Change all characters to upper case.
-
-
-
To add an additional value to map to the attribute, click Add Attribute.
-
Click Save.