Important

This document in a DRAFT. The information contained herein is subject to change.

Attribute Mapping Examples#

Working with defaults#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                 xmlns:xs="http://www.w3.org/2001/XMLSchema"
                 ID="_7fcd6173-e6e0-45a4-a2fd-74a4ef85bf30"
                 IssueInstant="2017-11-15T16:19:06.310Z"
                 Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://test.rackspace.com</saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_406fb7fe-a519-4919-a42c-f67794a670a5"
                    IssueInstant="2017-11-15T16:19:06.310Z"
                    Version="2.0">
      <saml2:Issuer>http://my.rackspace.com</saml2:Issuer>
      <saml2:Subject>
        <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">john.doe</saml2:NameID>
        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData NotOnOrAfter="2017-11-17T16:19:06.298Z"/>
        </saml2:SubjectConfirmation>
      </saml2:Subject>
      <saml2:AuthnStatement AuthnInstant="2017-11-15T16:19:04.055Z">
        <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
            </saml2:AuthnContextClassRef>
        </saml2:AuthnContext>
      </saml2:AuthnStatement>
      <saml2:AttributeStatement>
        <saml2:Attribute Name="roles">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">nova:admin</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="domain">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">323676</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="email">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">no-reply@rackspace.com</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="bar">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">BAR!</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="FirstName">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">John</saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="LastName">
            <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Doe</saml2:AttributeValue>
        </saml2:Attribute>
      </saml2:AttributeStatement>
   </saml2:Assertion>
</saml2p:Response>

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
---
mapping:
  version: RAX-1
  rules:
  - local:
      user:
        domain: "{D}"
        name:   "{D}"
        email:  "{D}"
        roles:  "{D}"
        expire: "{D}"

Resulting Attributes:

domain 323676
name john.doe
email no-reply@rackspace.com
roles
  • nova:admin
expire 2017-11-17T16:19:06.298Z

Accessing default from a different field:#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
---
mapping:
  version: RAX-1
  rules:
  - local:
      user:
        domain: "{D}"
        name: "{D}"
        email: "{D(name)}@rackspace.com"
        roles: "{D}"
        expire: "{D}"

Resulting Attributes:

domain 323676
name john.doe
email john.doe@rackspace.com
roles
  • nova:admin
expire 2017-11-17T16:19:06.298Z

More complex example with multiple substitutions#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
---
mapping:
  version: RAX-1
  rules:
  - local:
      user:
        domain: "{D}"
        name: "{D}"
        email: "{D(name)} <{D(name)}@{D(domain)}.rackspace.com>"
        roles: "{D}"
        expire: "{D}"

Resulting Attributes:

domain 323676
name john.doe
email john.doe <john.doe@323676.rackspace.com>
roles
  • nova:admin
expire 2017-11-17T16:19:06.298Z

Mixing in non-default attributes#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
---
mapping:
  version: RAX-1
  rules:
  - local:
      user:
        domain: "{D}"
        name: "{D}"
        email: "{At(FirstName)} {At(LastName)} <{D(name)}@{D(domain)}.rackspace.com>"
        roles: "{D}"
        expire: "{D}"

Resulting Attributes:

domain 323676
name john.doe
email John Doe <john.doe@323676.rackspace.com>
roles
  • nova:admin
expire 2017-11-17T16:19:06.298Z

Working with expiration#

Working with lists#

Black lists#

White lists#

Important

This document in a DRAFT. The information contained herein is subject to change.