Identity Cloud

Use IDP attribute mapper to map user-configured attributes to SAML attributes

Use this script type to map user-configured attributes to SAML attributes into the generated SAML assertion.

The default implementation retrieves the mapped attribute values from the user profile first. If the attribute values are missing from the user’s profile, then Identity Cloud attempts to retrieve them from the user’s session.

For a template script, refer to saml2-idp-attribute-mapper.js.

Demonstrate an IDP attribute mapper

Before you try the example, configure single sign-on using SAML v2.0 with Identity Cloud as the hosted IDP.

The following example modifies the SAML attributes in the assertion returned by the IDP:

Create the script

  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Scripts, click + New Script, add these settings, and click Create:


    A unique name for your script

    Script Type

    Scroll down to select Saml2 IDP Attribute Mapper

  2. In the Script text field for the new script, paste the template saml2-idp-attribute-mapper.js script.

  3. Insert the following lines just before return attributes; around line 150 to return a custom static attribute:

    var customSet = new java.util.HashSet();
        "customSAMLAttribute", null, customSet));
  4. Click Validate, make any necessary corrections, and click Save Changes.

Configure the IDP

  1. Under Native Consoles > Access Management, go to Applications > Federation > Entity Providers > Hosted IDP Name > Assertion Processing.

  2. In the Attribute Mapper Script field, select your script.

  3. Save your changes.

Test the script

  1. Perform a SAML v2.0 flow.

  2. Verify the AttributeStatement element in the SAML assertion contains the custom attribute:

      <saml:Attribute Name="customSAMLAttribute">

Available objects

Identity Cloud injects the following objects into the execution context of an IDP attribute mapper script:

Binding Information


The entity ID for the hosted IDP.


An object with methods for IDP attribute mapping. For details, refer to IdpAttributeMapperScriptHelper.


Write a message to the Identity Cloud am-core log source. The logger identifier takes the form scripts.script-type.script-id. For details, refer to Debug.


The realm the user authenticates to.


The remote entity ID.


Represents the user’s single sign-on session object. For details, refer to SSOToken.

Copyright © 2010-2024 ForgeRock, all rights reserved.