Technical Tip: How to configure and use a custom SAML user attribute.

If an SAML app or SP expects a certain user attribute different from the existing pre-configured ones (DN, sAMAccountName, userPrincipalName, etc.), a custom attribute can be configured, such as a phone number.

This example uses LDAP/AD as the authentication server, but the same logic applies to other auth servers types (Remote Radius Server -> Radius Attribute; Remote Saml Server -> SAML assertion).

See Service providers, FortiAuthenticator admin guide.

The following debug commands can be used on a FortiGate to check whether the custom attribute was correctly passed on:

diag debug application saml -1
diagnose debug enable

...
</NidAndSessionIndex>
</Session>
samld_send_common_reply [99]: Attr: 17, 33, magic=b-1e596b4e4d6fd2c3
samld_send_common_reply [99]: Attr: 18, 29, 2024-10-18T11:58:20Z
samld_send_common_reply [95]: Attr: 10, 26, 'username' 'fortinet'
samld_send_common_reply [95]: Attr: 10, 25, 'group' 'LDAP GROUP'
samld_send_common_reply [95]: Attr: 10, 37, 'mobilephoneinfo' '+49123456789'
samld_send_common_reply [99]: Attr: 11, 652, https://fortiauth.local/saml-idp/fgtlab149/logout/?SAMLRequest ...
...

A SAML trace would show the same information:

...
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="username">
<saml:AttributeValue>fortinet</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="group">
<saml:AttributeValue>LDAP GROUP</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="mobilephoneinfo">
<saml:AttributeValue>+49123456789</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
...

The LDAP/AD user attribute named mobile with value +49123456789 was correctly converted by FortiAuthenticator into the SAML attribute mobilephoneinfo and passed on to the SP.