Technical Tip: SAML attribute mapping

This article describes about SAML attribute mapping.

Attribute mapping is mapping one attribute name to another name.

Any available attribute may be mapped from the IdP library for example 'Google Directory Attribute' can be mapped to a new attribute name and a new attribute name can be used on SP as group-name or user-name information.

'FortiGate' will be acting as 'Service Provider' (SP) and 'GOOGLE' will be acting as 'Identity Provider' (IdP). 

SP – is who is providing the Service.

IdP – is who is doing Authentication.

For example: 

On the Google IdP side, map the 'Primary Email' to new attributes: 'BOGUS' and 'Username'.

IdP side will send to SP two attributes named 'Username' and 'BOGUS' with the 'Primary Email' information.

samld_send_common_reply [118]:     Attr: 10, 32, 'Username' 'agrakov@mydomain.my'

samld_send_common_reply [118]:     Attr: 10, 29, 'BOGUS' 'agrakov@mydomain.my'

Depending on SP configuration (mapping), SP can map attribute 'BOGUS' or 'Username' to be used as user-name information.

or only 'Primary email' to 'BOGUS' can be mapped, and use the attribute on the SP side as user-name information.

samld_send_common_reply [122]:     Attr: 18, 29, 2022-10-03T17:01:13.362Z

samld_send_common_reply [118]:     Attr: 10, 17, 'Groupname' 'IT'

samld_send_common_reply [118]:     Attr: 10, 29, 'BOGUS' 'agrakov@myDomain.my'

samld_send_common_reply [118]:     Attr: 10, 25, 'Groupname' 'IT-Support'

On the Google IdP side, map 'Department' with 'Google groups' to the new attribute 'Groupname'.

On the SP side, map 'Groupname' to be used as group-name information.

# config user saml

      edit "GOOGLE-SAML"
         set group-name "Groupname" 

  end
 

IdP side will send two attributes 'Groupname' with group-name information.

Groupname values: IT and IT-Support.

samld_send_common_reply [118]:     Attr: 10, 17, 'Groupname' 'IT'

samld_send_common_reply [118]:     Attr: 10, 32, 'Username' 'agrakov@myDomain.my'

samld_send_common_reply [118]:     Attr: 10, 25, 'Groupname' 'IT-Support'

SP side has multiple groups configured, one group for IT and the second for IT-Support.

# config user group
      edit "GOOGLE-SAML-IT-Support"

         set member "DRAGON-ARMOR-PROJECT-IDP_GOOGLE"

         config match

            edit 1

                set server-name "DRAGON-ARMOR-PROJECT-IDP_GOOGLE"

                set group-name "IT-Support"

            next

          end
       next

       edit "GOOGLE-SAML"

          set member "DRAGON-ARMOR-PROJECT-IDP_GOOGLE"

          config match

             edit 1

                 set server-name "DRAGON-ARMOR-PROJECT-IDP_GOOGLE"

                 set group-name "IT"

              next

           end

        next

   end

As attribute IT and IT-Support was sent from the IdP side, the SP side has been associated with the user with the groups.