PingOne Advanced Identity Cloud

NameID mapper

Use a NameID mapper script to customize the value of the NameID attribute returned in the SAML assertion per SP.

Demonstrate a NameID adapter

Before you try the example, configure single sign-on using SAML v2.0 with PingOne Advanced Identity Cloud as the hosted IDP.

The following example modifies the NameID attribute in the assertion on the remote SP:

Learn about NameID mapper scripts from the following resources:

Create the script

  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Scripts, and click +New Script.

  2. Enter a unique name for your script, select Saml2 NameID Mapper from the Script Type drop-down list, and click Create.

    The NameID mapper script type is a next-generation script only.
  3. In the JavaScript field, write a script to set a custom value for the NameID attribute. For example, the following script replaces instances of .com with .org in a user’s email address. Alternatively, uncomment the call to getIdentityNameID to set NameID to the user’s first and last name.

    /*
     * Retrieve nameID value from Java plugin and modify
    */
    function getModifiedNameID() {
      var nameIDValue = nameIDScriptHelper.getNameIDValue();
    
      if (nameIDValue.includes(".com")) {
          return nameIDValue.replace(".com", ".org");
      }
      return nameIDValue;
    }
    
    /*
     * Use identity binding to gather attributes
    */
    function getIdentityNameID() {
      var givenName = identity.getAttributeValues("givenName")[0];
      var lastName = identity.getAttributeValues("sn")[0];
    
      return givenName + "_" + lastName;
    }
    
    getModifiedNameID();
    //getIdentityNameID();
  4. Save your changes and close the editor.

Configure the remote SP

  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Applications > Federation > Entity Providers > Remote SP Name > Assertion Processing.

  2. Under Account Mapper, select your script from the SAML2 NameID Mapper Script drop-down list.

  3. Save your changes.

Test the script

  1. Test your changes using an SP-initiated flow.

  2. Verify that the SAML 2.0 assertion shows an updated value, for example:

    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                 NameQualifier="idp"
                 SPNameQualifier="sp">bjensen@example.org</saml:NameID>
Copyright © 2010-2024 ForgeRock, all rights reserved.