As you would imagine, a mapping process exists so that you can specify an incoming and outgoing attribute names. These mappings are defined under the rules menu, and need to be switched on or off on the connection used by the application. Where a connection is used by multiple applications, the rules will apply to all.
Out of the box there are some useful rules that we have pre-defined for you:
Affiliation and scope derived from eduPersonScopedAffiliation
- This one separates out scope and role from the single SAML attribute that contains both
- Scope is the recommended organisation identifier in SAML
- It is not turned on by default, but is often useful
- Set on by default for new connections
- This one maps the three most commonly used SAML attributes to sensible claim names (targetedID, scopedAffiliation and entitlement)
- This one maps all the less common SAML attributes and will usually not be necessary
- This one adds together the IdP entityID, SP entityID to the end-user's targetedID and normalises it.
- It is intended for people migrating from OpenAthens SP or Shibboleth who were using the longform version of targetedID so that they can maintain user IDs
- (Longform example:
- (Longform example:
The rule for legacy OpenAthens is not necessary for new services and is included only to help publishers migrate old services to federation identifiers.
There are a couple of rule types you can use to extend the mapping capability. The simple mapping rules can modify both the name and value using regular expressions - some examples:
|Name||changes the attribute name |
|Value||Removes all but the domain part of a scopedAffiliation value or email address|
Strips everything before the final slash in a name and replaces it with mynamespace - e.g.
To create or edit a rule set
Rule sets are created and managed from the rules menu on the side of the publisher dashboard. To add a new one click the green button at the top of the page:
To create or edit a rule
Once you have your rule set, you can populate it with rules.
You can either add a new mapping, or edit, clone or delete an existing one via the menu next to each rule.
To edit a rule:
This example uses a regular expression to extract the internet domain from an email address after changing the name to emailDomain.
If you do not add anything to the either box in the value line, the value is unchanged.