PingOne Advanced Identity Cloud

IdP attribute mapper

Use an IdP attribute mapper script to map user-configured attributes to SAML attributes in the generated SAML assertion.

The default implementation retrieves the mapped attribute values from the user profile first. If the attribute values are missing from the user’s profile, then Advanced Identity Cloud attempts to retrieve them from the authenticated session.

Next-generation example script

SAML2 IDP Attribute Mapper Script (Next Gen)

Legacy example script

SAML2 IDP Attribute Mapper Script

Script bindings

IdP attribute mapper scripting API

Modify SAML attributes using a legacy script

Before you try the example, configure SSO using SAML 2.0 with Advanced Identity Cloud as the hosted IdP.

The following example modifies the SAML attributes in the assertion returned by the IdP:

Create the script

  1. In the Advanced Identity Cloud admin console, create a script of type SAML2 IDP Attribute Mapper.

  2. In the JavaScript field, paste the template SAML2 IDP Attribute Mapper Script.

  3. Insert one of the following example code snippets just before return attributes; around line 150 to return a custom static attribute:

    • Add a static single-value attribute:

      var customSet = new java.util.HashSet();
customSet.add("test");
attributes.add(
  idpAttributeMapperScriptHelper.createSAMLAttribute(
    "customSAMLAttribute", null, customSet));

    • Add a static multi-value attribute:

      var customSet = new java.util.HashSet();
var attributes = new java.util.ArrayList();
customSet.add("test1");
customSet.add("test2");
customSet.add("test3");
attributes.add(
  idpAttributeMapperScriptHelper.createSAMLAttribute(
    "customMultiValueAttribute", null, customSet));

  4. Save your changes and close the editor.

Configure the IdP

  1. Under Native Consoles > Access Management, go to Applications > Federation > Entity Providers > Hosted IDP Name > Assertion Processing.

  2. In the Attribute Mapper Script field, select your custom script.

  3. Save your changes.

Test the script

  1. Perform a SAML 2.0 flow.

  2. Verify the AttributeStatement element in the SAML assertion contains the custom attribute.

    • Example single-value attribute assertion:

      <saml:AttributeStatement>
  <saml:Attribute Name="customSAMLAttribute">
    <saml:AttributeValue
      xmlns:xs="http://www.w3.org/2001/XMLSchema"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="xs:string"
    >test</saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

    • Example multi-value attribute assertion:

      <saml:AttributeStatement>
  <saml:Attribute Name="customMultiValueAttribute">
    <saml:AttributeValue
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:type="xs:string">test1
    </saml:AttributeValue>
    <saml:AttributeValue
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:type="xs:string">test2
    </saml:AttributeValue>
    <saml:AttributeValue
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:type="xs:string">test3
    </saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

Update username with a next-generation script

Before you try the example, configure SSO using SAML 2.0 with Advanced Identity Cloud as the hosted IdP.

The following example updates the username to uppercase in the assertion returned by the IdP:

Create the script

  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Scripts, and click +New Script.

  2. Provide a suitable name for your script and select the following values:

    Script Type

    Saml2 IDP Attribute Mapper

    Evaluator Version

    Next Generation

  3. Click Create.

  4. In the Script field, add the following script:

    // returns the list of attributes for the current session
var attributes = idpAttributeMapperScriptHelper.getStandardAttributes();

for (var attr of attributes) {
  if (attr.name === "username") {
    var upperCaseValues = [];
    for (var val of attr.values) {
      upperCaseValues.push(val.toUpperCase());
    }
    attr.values = upperCaseValues;
  }
}
// return the modified list of attributes
attributes;

    Always make sure the last line of your script is the list of the attributes to return. It must be in the following format:

    [
  {
    "name:": "...",
    "nameFormat": "...",
    "values": ["..."]
  },
  ...
]

  5. Validate and save your changes.

Configure the IdP

  1. Configure Advanced Identity Cloud to use the updated IdP attribute mapper script:

    1. Go to Applications > Federation > Entity Providers > hosted IdP > Assertion Processing.

    2. Select your custom next-generation script from the Attribute Mapper Script list.

  2. Map the required attributes:

    1. Add the following mapping to the Attribute Map:

      SAML Attribute

      username

      Local Attribute

      uid

  3. Save your changes.

Test the script

  1. Test your changes using an SP-initiated flow.

  2. Verify that the SAML assertion contains the updated username value. For example:

    <saml:AttributeStatement>
  <saml:Attribute Name="username">
  <saml:AttributeValue
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:type="xs:string">BJENSEN
    </saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>

    If you run an SP-initiated SSO integrated mode flow, you can include a Scripted Decision node to output the assertion value using the samlApplication binding.

    Learn more in Query SAML application and authentication request.