Hello Team,

We are doing a SP initiated SAML federation with Azure. As user enters the credentials on Azure login page (xyz@domain.com), the IV-User header that is passed to the application by default is xyz@domain.com. IDP is sending another attribute name username which matches the user present in Application DB and hence i need to map this username attribute to be sent on IV-User header to target app. I have written a SP mapping rule, please let me know if it is correct?

//SAML20 SP mapping rule

importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);

var c = stsuu.getAttributeContainer();

var uname = c.getAttributeByName("username").getValues();

attrs = [];

attrs.push(new Attribute("name", null, uname));

stsuu.addPrincipalAttribute(new Attribute("principal", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", name));



------------------------------
Yashas S N
------------------------------

1. You want to add a lot more error resiliency to the mapping rule in case things are not as you expect in the SAML assertion. 

2. There are much simpler APIs available:

let name = stsuu.getAttributeValueByName("name");
if (name != null} {
  stsuu.setPrincipalName(name);
} else {
  IDMappingExtUtils.throwSTSUserMessageException("Invalid SAML assertion");
}

------------------------------
Shane Weeden
IBM
------------------------------

Original Message:
Sent: Tue July 12, 2022 04:19 AM
From: Yashas S N
Subject: SAML mapping rule

Hello Team,

We are doing a SP initiated SAML federation with Azure. As user enters the credentials on Azure login page (xyz@domain.com), the IV-User header that is passed to the application by default is xyz@domain.com. IDP is sending another attribute name username which matches the user present in Application DB and hence i need to map this username attribute to be sent on IV-User header to target app. I have written a SP mapping rule, please let me know if it is correct?

//SAML20 SP mapping rule

importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);

var c = stsuu.getAttributeContainer();

var uname = c.getAttributeByName("username").getValues();

attrs = [];

attrs.push(new Attribute("name", null, uname));

stsuu.addPrincipalAttribute(new Attribute("principal", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", name));



------------------------------
Yashas S N
------------------------------

Thank you Shane that made sense.

I finally could achieve what i wanted. I may have to a error resiliency to the mapping as you said.
The below code worked.

//SAML20 SP mapping rule

importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.uuser.Attribute);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.uuser.AttributeStatement);

// Get username from incoming SAML assertion
var qualified_username = stsuu.getAttributeContainer().getAttributeValueByName("username");

//Clear the working object. We will explicitly add back everything we waant to send in the SAML to CIC.
stsuu.clear();

// Set the NameID attribute of the SAML assertion to the generated qualified_username
stsuu.addPrincipalAttribute(new Attribute("name", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", qualified_username));

// Done.


------------------------------
Yashas S N
------------------------------

Original Message:
Sent: Wed July 13, 2022 01:37 AM
From: Shane Weeden
Subject: SAML mapping rule

1. You want to add a lot more error resiliency to the mapping rule in case things are not as you expect in the SAML assertion. 

2. There are much simpler APIs available:

let name = stsuu.getAttributeValueByName("name");
if (name != null} {
  stsuu.setPrincipalName(name);
} else {
  IDMappingExtUtils.throwSTSUserMessageException("Invalid SAML assertion");
}

------------------------------
Shane Weeden
IBM

Original Message:
Sent: Tue July 12, 2022 04:19 AM
From: Yashas S N
Subject: SAML mapping rule

Hello Team,

We are doing a SP initiated SAML federation with Azure. As user enters the credentials on Azure login page (xyz@domain.com), the IV-User header that is passed to the application by default is xyz@domain.com. IDP is sending another attribute name username which matches the user present in Application DB and hence i need to map this username attribute to be sent on IV-User header to target app. I have written a SP mapping rule, please let me know if it is correct?

//SAML20 SP mapping rule

importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);

var c = stsuu.getAttributeContainer();

var uname = c.getAttributeByName("username").getValues();

attrs = [];

attrs.push(new Attribute("name", null, uname));

stsuu.addPrincipalAttribute(new Attribute("principal", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", name));



------------------------------
Yashas S N
------------------------------