Identity Cloud

IDP attribute mapper plugin

Use this plugin to map user-configured attributes to SAML attribute objects to insert into the generated SAML assertion.

The default implementation is to retrieve the mapped attribute values from the user profile first. If the attribute values are not present in the user’s profile, then the plugin attempts to retrieve them from the user’s session.

To view a template script, including the available script properties, see saml2-idp-attribute-mapper.js.

Create a custom IDP attribute mapper script

Complete the following steps to implement an example IDP attribute mapper script that modifies the SAML attributes that are inserted in the assertion returned by the IDP.

This task assumes your environment is already correctly configured for single sign-on using SAML v2.0, where AM is the hosted IDP.

  1. In the AM admin UI, go to Realms > Realm Name > Scripts, and click New Script.

  2. Enter a unique name for your script, select SAML2 IDP Attribute Mapper from the Script Type drop-down list, and click Create.

  3. Copy the saml2-idp-attribute-mapper.js script and paste in the Script field.

  4. Insert the following lines of example code to return a custom static attribute, around line 150, preceding return attributes;:

    var customSet = new java.util.HashSet();
    customSet.add("test");
    attributes.add(idpAttributeMapperScriptHelper.createSAMLAttribute("customSAMLAttribute", null, customSet));

    For information about the bindings that are available to the script, see IDP attribute mapper scripting API.

  5. Validate and save your changes.

  6. Configure AM to use the updated IDP attribute mapper script.

    1. In the AM admin UI, go to Realms > Realm Name > Applications > Federation > Entity Providers > Hosted IDP Name > Assertion Processing.

    2. In the Attribute Mapper Script field, select SAML2 IDP Attribute Mapper Script.

      Alternatively, if you created a script rather than modifying the default, select the new script name.

    3. Save your changes.

  7. Test your changes and verify that the AttributeStatement element in the SAML assertion contains the custom attribute.

    For example:

    <saml:AttributeStatement>
      <saml:Attribute Name="customSAMLAttribute">
        <saml:AttributeValue
            xmlns:xs="http://www.w3.org/2001/XMLSchema"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:type="xs:string">test
        </saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>

IDP attribute mapper scripting API

The following properties are available to IDP attribute mapper scripts, in addition to the common SAML v2.0 properties.

Show script properties
idpAttributeMapperScriptHelper

An IdpAttributeMapperScriptHelper instance containing methods used for IDP attribute mapping. Always present.

remoteEntityId

The remote entity ID.

session

Contains a representation of the user’s single sign-on session object.

Copyright © 2010-2022 ForgeRock, all rights reserved.