Attribute & Role Mapping


It is the on-the-fly assignment of specific attributes / groups to your users as they are present in your IdP. When the user performs the SSO, the IDP sends over some attributes like NameID, Email, etc. which are then used to assign the users with specific functionalities like access or restrict the resources. The Attribute / Role Mapping tab allows you to enable these certain property-specific functionalities for your users during SSO.

This tab contains the following 3 sections:

  1. Attribute Mapping
    Attributes are the user details that are stored in your Identity Provider. These attributes include Username, Email, First Name, Last Name, Group/Role, Display Name, etc. The Attribute Mapping feature helps you to map these user attributes sent by the IDP to the ASP.NET user attributes.

    • Everytime your users SSO into your ASP.NET application, these attributes will be automatically mapped to your application’s user profile.

    • If any existing user performs the SSO, then their application account will be fetched and their profile will be updated based on attributes received from the IDP.

    • By default, the Username and Email are the two basic attributes that are used for attribute mapping. Generally, the NameID value is what’s used for this purpose.

    • You can choose and set attributes sent by the IDP to be mapped with attributes like FirstName and LastName.

    • The Group/Role field can be used as a group transformation attribute. You can map the Group/Role field to the attribute name in which IDP is sending the users Information.

    • Depending on the value of the Group attribute, you can assign single or multiple roles to the users. The custom roles are also supported for the mapping. Please refer to the role mapping section for more information.

    ASP.NET SAML Single Sign-On (SSO) - ASP.NET SAML SSO - SAML for ASP.NET - Image of Attribute Mapping section

    Map Custom Attributes

    • It provides an additional feature to Map Custom Attributes to the ASP.NET users. Using this feature you can map and access additional attributes received from the IDP in your application.

    • Suppose, you want to map attributes like Phone no., City, State, Department etc., you will simply have to add these attributes in your IDP and set them up into your Custom attribute mapping to map with their equivalent attributes.

    • For example, the image below shows the above attributes which are sent from the Identity Provider appropriately added and mapped to their equivalent attributes name.

    ASP.NET SAML Single Sign-On (SSO) - ASP.NET SAML SSO - SAML for ASP.NET - Image of Custom Attribute example

  2. Role Mapping

    • This feature can be used to assign different roles to the users based on their SAML attributes. The particular roles will be applied to users once they meet the specified conditions while logging into WordPress via Single Sign-On.

    • This feature allows you to provide user capabilities based on their IdP attribute Group values.

    • Before enabling this setting, please make sure you’ve configured the attribute name in the Group/Role field of the Attribute Mapping section.

      ASP.NET SAML Single Sign-On (SSO) - ASP.NET SAML SSO - SAML for ASP.NET - Image of role mapping section

    • If the admin wants users of a particular IDP group(s) to be restricted from logging in to the site, this feature can be enabled by providing the group value(s).

    • This feature can be used where we have a group of students with Off-Campus Registration. They have been assigned a IDP group ‘Outside Users’ and the admin does not want those users to access the site.

  3. Domain Restriction

    • This feature can be used to restrict/allow user access to the application based on the domain of their email address.

    • You can provide multiple domains to restrict by entering a domain values separated by comma/(,).

      It has the following 2 ways to use this feature:

      1. Allow users to login with specified domains - If enable this feature then only the users of specified domains will be allowed to login or register.

      2. Deny users to login with specified domains - If enable this feature then users of specified domains will be restricted to login. Remaining all the users will be allowed to login.

      ASP.NET SAML Single Sign-On (SSO) - ASP.NET SAML SSO - SAML for ASP.NET - Image of Domain Restriction

    • Now, for eg. If you want users of ‘miniOrange’ (i.e. miniorange.com) to not log in to your site, then you can simply enter miniorange.com in the input tag and select radio button Deny users to login with specified domains.