Encountered a scenario last week, where I logged the user into ISAM using an AD Short name, but needed to use the email address as the SAML Principal name when logging into an external service (e.g. Pager Duty). The user’s email address was populated as an attribute in Active Directory, and ISAM will automatically pull that attribute into the ISAM credential out of the box into a credential called “emailAddress”.
[TAM_CRED_ATTRS_SVC:eperson] emailAddress = mail mobileNumber = mobile
Following the steps in the configuration guide for PagerDuty, there is a note:
- If you are using the default identity mapping rule, create a login ID on your Identity Provider that matches the PagerDuty login ID.
- If you are using a custom mapping rule, create an Identity Provider user based on the mapping requirements.
This means we can’t use the default mapping rule – since it will simply populate the username as the SAML principal.
Instead, here is a mapping rule, I scored off Shane Weeden, that will pull the email from the ISAM credential, and set it as the username for the SAML assertion.
// get value that you want to use as Subject NameID from another cred attr - // the example here is "emailAddress" var usernameForSAML = stsuu.getAttributeValueByName("emailAddress"); // re-write Principal name with type as email nameid format and // value from previous attribute stsuu.getPrincipalAttributeContainer().clear(); stsuu.addPrincipalAttribute( new Attribute("name", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", usernameForSAML)); // optionally clear other attributes in AttributeList // if you don't want an AttributeStatement in the SAML Assertion // stsuu.clearAttributeList();
In the ISAM console, navigate to the Mapping Rules page:
Create a new Mapping rule for SAML flows:
And when defining the SAML Partner – override the Mapping rule with our new one:
And you should be well on your way!
Note: This mapping rule is equally useful in any TFIM (Tivoli Federated Identity Manager) mapping’s that need the same result!