Forum Discussion

Kyle_S's avatar
Kyle_S
Icon for Nimbostratus rankNimbostratus
Nov 18, 2015

SAML IdP logon page to pass email address to SP

I created a logon page which uses username and password to authenticate the user with AD but the SP is requesting the users email address in the SAML assertion. If I set the IdP service Assertion Subject Value to %{session.logon.last.logonname} I can see that attribute when running the FireFox SAML Tracer. If I change the Subject vlaue to %{session.ad.last.attr.mail} I do not see the email address in the SAML Assertion. Do I need to add an AD Query or Variable Assignment in the VPE to get the email address and how do i get that into the assertion? An additional question if anyone cares to chime in, what do I set as the Assertion Subject Type? When would you select Entity Identifier, Transient Identifier, or Email Address? I tried all of the fore mentioned but it didn't get me the correct results.

 

APM
application delivery
saml assertion

2 Replies

Sort By
  • Walter_Kacynski's avatar
    Walter_Kacynski
    Icon for Cirrostratus rankCirrostratus
    Nov 18, 2015

    You must use the AD Query agent in the VPE. If you do not specify any attribute for selection, ALL attributes are return from AD for that user. For memory and performance reasons, I would suggest that you explicitly code which attributes that you want to store in the users' session.

     

    In my SAML uses, I usually have the entity id set as unspecified. I guess this depends on what you SP is expecting.

     

  • Kyle_S's avatar
    Kyle_S
    Icon for Nimbostratus rankNimbostratus
    Nov 18, 2015

    I have found several examples on how pull the username or group membership. Does anyone have an example of how to pull the email address from AD? Sorry I am a network guy deep down and the AD stuff is still sinking in.