Prerequisites

1. SAML IDP Assertion Schema is defined.

2. Attributes from the Assertion Schema are mapped to the authentication context.

Add Outgoing SAML Assertion Attributes

1. Select OAuth » Tokens & Claims » Claims » SAML Assertion Attributes » + ADD CLAIM.

   

2. Fill in the Add claim form with and select Add.

   Parameter	Description
   Claim name	Claim name in Cloudentity.
   Source type	How the source value for the claim is retrieved. Authentication context is a set of attributes mapped from data sent by IDP acting on behalf of the user. Client means an application registered in Cloudentity. Workspace provides metadata about the workspace.
   Source path	Specific attribute available in the source.
   Output source path	Exact attribute name representing this claim in the token.
   SAML Name	SAML attribute name issued with your Service Provider’s assertion, for example urn:oid:2.5.4.10.
   SAML Attribute Format	SAML attribute format, for example urn:oasis:names:tc:SAML:2.0:attrname-format:uri.

The attribute will be included in the SAML Assertion sent to service providers

Consider the following example:

If we add an email attribute with source type set to AuthN Context, source path set to email, SAML name set to mail and with the SAML format set to urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified, the outgoing SAML Assertion sent to the Service Provider has the following attribute included:

<saml2:AttributeStatement>
   <saml2:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml2:AttributeValue
            xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">johndoe@example.com
      </saml2:AttributeValue>
   </saml2:Attribute>
</saml2:AttributeStatement>

Next Steps

If your SAML IDP enables users to sign into OAuth-based client applications, be sure to define Token Claims as well.