How-To add new claim values to an SSO application

Owned by Silvan Grüter
Last updated: 03. Mar 2022 by Christian Huber (Unlicensed)
3 min read

Introduction

By default a few user claims are available to any SSO application. Those defaults contain information such as username, first name, last name and email. In many cases that’s all the data that an SSO application needs to operate as it might load additional data from an external source and uses the email address to identify the user. In some cases this is not possible or from a performance standpoint it makes more sense to have that data provided from the IdP. This article describes how this can be achieved.

Step 1 - Create the necessary attribute

Let’s say we wanna provide a Web Shop Application with a Customer Number. The first thing that we will need to do is create that attribute by navigating to the Master Data menu and select Attributes. Here you can select Create and add the appropriate information to the attribute. In this case we create a String attribute that needs to be Unique and we also add the Attribute Usage Type CoreIdentity Attribute.

Step 2 - Map the attribute to the CoreIdentity Type

Now that we have our newly created attribute, we will add it to the default Core Identity type by navigating to the Identity Management menu and select Core Identity Types. Here we choose the appropriate type, and add the attribute to the Attribute Mapping. Once we have done that we can start adding values to existing Core Identities of said type.

Depending on the caching configuration you might want to restart the backend service at this point to ensure that the configuration is up to date.

Step 3 - Map the attribute to the SSO Identity

Navigate to the System Configuration menu and select System Identity Type Attributes. Click on create and select the created attribute. As Account Type add CoreOne Authentication Services User and choose the application where this attribute should be available (This should be the application of the user). Target System Property Name indicates how the actual user claim we be named. So if you choose Customer Numberas the attributes name, you should use a name that follows your claim naming strategy. For example name it customer_number. Binding Mode usually is CoreOne → Target System.

In this example we used the same attribute as the Core Identity Attribute as for the System Identity Type Attribute. You can do it this way if the validation rules and other properties are the same. If they differ you can also use two different attributes.

Step 4 - Map the Core Identity attribute values to the claim in the provisioning configuration

The next step is to map the values of the Core Identity attributes values to the actual user claims. To do so navigate to the Identity Management menu and select Provisioning Configuration. Choose the appropriate entry from the list and open the Attribute Mapping tab. If you click on add you should have the newly creates system identity attribute in the selection box. After adding it you can map it to the Core Identity attribute from step 2.

Step 5 - Create the claim

Navigate to SSO and select Claim Types. Once you click on add you can select the created attribute and the appropriate type.

Step 6 - Put the created claim into a scope

The SSO Application has to request which data it would like to receive from the IdP. The application does this by providing a list of scopes within the authentication request. By default new user claims are not added to any scope so we either need to add it to an existing scope or create a new one. To keep the example simple we will just add it to default Profile scope. Navigate to SSO and select Scopes. On the detail page of the Profile scope, add the newly created claim to the Claim Type list.

 

© ITSENSE AG. Alle Rechte vorbehalten. ITSENSE und CoreOne sind eingetragene Marken der ITSENSE AG.