IBM Support

How do I map Custom Attributes for SAML Authentication? (On-Premises ONLY)

How To


Summary

How do I map Custom Attributes for SAML Authentication? (On-Premises ONLY)

Steps

Most Identity Providers send commonly known attributes (e.g. mail, surname, sn, given-Name, gn, phone, etc.) during SAML authentication. Some Identity Providers may send different attributes. These can be mapped to Resilient fields by creating a mappings file on the virtual appliance itself.

Consider the following:

The Identity provider is setup such that it is sending myEmail, myFirstName, myLastName, myTitle, myPhone, myCellPhone, and myGroup to Resilient.

These fields aren't known to the application by default, so they must be mapped as follows:

$ sudo -g resutil -u root mkdir /crypt/saml

$ sudo chmod 750 /crypt/saml

In newer versions of Resilient the previous "resutil" group has been replaced by "co3" so you can use the following commands.

$ sudo mkdir /crypt/saml
$ sudo chown root:co3 /crypt/saml
$ sudo chmod 750 /crypt/saml
$ sudo vi /crypt/saml/mappings.json

Create a mappings.json file in the /crypt/saml/ folder with the following contents:

{

"EMAIL": ["myEmail"],

"FIRST_NAME": ["myFirstName"],

"LAST_NAME": ["myLastName"],

"TITLE": ["myTitle"],

"PHONE": ["myPhone"],

"CELL_PHONE": ["myCellPhone"],

"GROUP": ["myGroup"]

}

$ sudo -g resutil -u root cp mappings.json /crypt/saml/mappings.json

For recent versions run the following to change the permissions of this file.

$ sudo chown root:co3 /crypt/saml/mappings.json

If the file cannot be parsed, it will just be ignored. The following warning will appear in the log:

Unable to read SAML property mapping file /crypt/saml/mappings.json

You can specify only the custom attributes and others can come directly from the Identity Provider.

Here are a couple of examples:

1) If the only "custom field" is my myLastName, the mapping file can only consist of:

{

"LAST_NAME": ["myLastName"]

}

2) If the only "custom field" is http://schemas.microsoft.com/ws/2008/06/identity/claims/groups, the mapping file can only consist of:

{
"GROUP": ["http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"]
}
Noice: The above depends on what the attribute value is in the saml header

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Document Information

Modified date:
19 April 2021

UID

ibm11160320

Page Feedback