ISAM Federations – Using an Email address as the SAML Principal Name

Encountered a scenario last week, where I logged the user into ISAM using an AD Short name, but needed to use the email address as the SAML Principal name when logging into an external service (e.g. Pager Duty). The user’s email address was populated as an attribute in Active Directory, and ISAM will automatically pull that attribute into the ISAM credential out of the box into a credential called “emailAddress”.

[TAM_CRED_ATTRS_SVC:eperson]
emailAddress = mail
mobileNumber = mobile

Following the steps in the configuration guide for PagerDuty, there is a note:

Prerequisites

  • If you are using the default identity mapping rule, create a login ID on your Identity Provider that matches the PagerDuty login ID.
  • If you are using a custom mapping rule, create an Identity Provider user based on the mapping requirements.

This means we can’t use the default mapping rule – since it will simply populate the username as the SAML principal.

Instead, here is a mapping rule, I scored off Shane Weeden, that will pull the email from the ISAM credential, and set it as the username for the SAML assertion.

// get value that you want to use as Subject NameID from another cred attr - 
// the example here is "emailAddress"
var usernameForSAML = stsuu.getAttributeValueByName("emailAddress");


// re-write Principal name with type as email nameid format and 
// value from previous attribute
stsuu.getPrincipalAttributeContainer().clear();
stsuu.addPrincipalAttribute(
     new Attribute("name", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", 
                    usernameForSAML));

// optionally clear other attributes in AttributeList 
// if you don't want an AttributeStatement in the SAML Assertion
// stsuu.clearAttributeList();

In the ISAM console, navigate to the Mapping Rules page:

Create a new Mapping rule for SAML flows:

Screen Shot 2016-02-15 at 10.43.24 AM

And when defining the SAML Partner – override the Mapping rule with our new one:

Screen Shot 2016-02-15 at 10.48.43 AM

And you should be well on your way!

Note: This mapping rule is equally useful in any TFIM (Tivoli Federated Identity Manager) mapping’s that need the same result!

 

Comments are closed.

Website Built with WordPress.com.

Up ↑

%d bloggers like this: