Loading...

Attribute Mapping

An Attribute Mapping is simply a filter and set of data transformation rules that are applied to the list of attributes received from the Authentication Source, that are then forwarded to the Service Provider, after a successful authentication.

Multiple Service Providers may share one Authentication Source, but require different attributes, in different formats (using different names, and so on).

To avoid duplicating settings, or having to create custom code for different Service Providers, AuthStack uses Attribute Mapping sets to describe how to transform attributes for a particular Service Provider.

Each Service Provider integrated with AuthStack requires:

  1. A Connection to be specified (A connection is a configuration for accessing an Authentication Source)
  2. Attribute Mapping (Ensuring correct information in the required format is delivered to the Service Provider)

The System Attribute mapping is protected and cannot be edited or deleted. It is required to login administrators stored in the MySQL database shipped with AuthStack.

Creating an Attribute Mapping Set

From within the Attribute Mapping listing, click New Attribute Mapping in the top right.

file

Proceed to complete the rest of the fields. Guidance below.

Field Description
Mapping Title   Use a distinguishable title as this is used in other areas of the administration
Select a Connection Select from a list of existing connections
NameID Format The most common option is email - Read more about NameID
First and Last Name Attributes for Profile Page Specify which attributes returned from the connection should be used to display your name. In the right-hand side menu, locate the attribute you would like to use and type its name between curly braces – {{ }} in this field. For example, if attribute name is first_name, you'd use {{first_name}} to denote that value of first_name should be used. Multiple attributes can be combined, allowing combinations such as {{first_name}} {{middle_name}} {{last_name}}.

Email Attribute for Profile Page As above, locate and specify the attribute returned for email.

file
Is NameID Specify which attribute returned is used for NameID. This is usually email, uid, or a unique field used to identify the user. Read more about NameID


Select Requires Attributes

Select the attributes you wish to forward to the Service Provider. You may wish to send all values or limit the attributes to the bare necessity. Only ticked attributes will be passed to the Service Provider.

file


Adding Custom Attributes

One or more custom attributes can be added by clicking Add Custom Attribute. A custom attribute can be a fixed value or the value of an attribute returned by the connection. One or more existing attributes can be combined to create a new custom attribute. See example below:

file


Obfuscating Data

In certain circumstances there may be a requirement to obfuscate the data sent to a third party Service Provider. There are four (4) methods available, usable within the Custom Attributes section. In the below example, a third party requires email address to be passed as an attribute. It is being used as a unique identifier during the login process, however we wish to protect the email address, therefore we still pass along the mail attribute, but hashed with MD5.

file

Details of the four (4) methods:

Method Description
hbs_uppercase Returns the attribute value in uppercase
hbs_lowercase Returns the attribute value in lowercase
hbs_md5 Produces an md5 hash of the attribute value
hbs_sha1 Produces an sha1 hash of the attribute value


Previewing Attributes

Clicking the Preview button will load a sample of the SAML data returned to a Service Provider, allowing you to adjust as necessary until you are satisfied with the results.

file


Previous Article

Manual Connections

Next Article

User Management

We're happy to talk

Our offices are open 8.30am - 7pm GMT, Monday to Friday - but you can always contact us via email. When we receive your email during opening hours, we aim to respond within 30 minutes or less. Should your email reach us out of hours, we will contact you when the office re-opens.

You can contact us using live chat