Attribute & Role Mapping

The Attribute Mapping/Role Mapping is a functionality in Umbraco SAML 2.0 plugin which is used to map the user attributes/roles in IDP with the ASP.NET.

Attribute Mapping - Attribute mapping involves mapping user attributes from the IdP with the ASP.NET user attributes.

Role Mapping - Role mapping is the process of mapping user roles from the IdP with the ASP.NET user roles.

This tab contains the following 3 sections:

  1. How Basic Attribute Mapping Works
    Attributes are the user details that are stored in your Identity Provider. These attributes include Username, Email, First Name, Last Name, Group/Role, Display Name, etc. The Attribute Mapping feature helps you to map these user attributes sent by the IDP to the ASP.NET user attributes.

    • By default, the Username and Email are the two basic attributes that are used for attribute mapping. Generally, the NameID value is what’s used for this purpose.

    • You can choose and set attributes sent by the IDP to be mapped with attributes like FirstName and LastName.

    • The image below shows the basic attributes which are sent from the Identity Provider appropriately added and mapped with their equivalent ASP.NET SAML Plugin attributes

    ASP.NET SAML Single Sign-On (SSO) - ASP.NET SAML SSO - SAML for ASP.NET - Image of Attribute Mapping section

    How Custom Attribute Mapping Works

    • It provides an additional feature to Map Custom Attributes to the ASP.NET users. Using this feature you can map and access additional attributes received from the IDP in your application.

    • Suppose, you want to map attributes like Phone no.,Permanant Address, City, State, Department etc., you will simply have to add these attributes in your IDP and set them up into your Custom attribute mapping to map with their equivalent attributes.

    • For example, the image below shows the above attributes which are sent from the Identity Provider appropriately added and mapped to their equivalent attributes name.

    ASP.NET SAML Single Sign-On (SSO) - ASP.NET SAML SSO - SAML for ASP.NET - Image of Custom Attribute example

  2. How Role Mapping Works

    • This feature can be used to assign and manage roles of the users when they perform SSO. Along with the default ASP.NET roles, this is compatible with any custom roles as well.

    • This feature allows you to provide user capabilities based on their IdP attribute Group values.

    • Before enabling this setting, please make sure you’ve configured the attribute name in the Group/Role field of the Attribute Mapping section.

    • For e.g.: You can map your IdPs ‘Educator' and ‘Supporter’ roles of your IDPs group Attribute 'MyIDPGroups' to your Umbraco ‘Teachers’ and 'SupportStaff’ as shown in image below.

      ASP.NET SAML Single Sign-On (SSO) - ASP.NET SAML SSO - SAML for ASP.NET - Image of role mapping section

  3. How Domain Restriction Works

    • This feature can be used to restrict user access to the application based on the domain of their mapped “Email“ Attribute.

    • You can provide multiple domains to restrict by entering a domain values separated by comma(,).

      ASP.NET SAML Single Sign-On (SSO) - ASP.NET SAML SSO - SAML for ASP.NET - Image of Domain Restriction

    • Now, for eg. If you want to restrict the user access to ‘miniOrange’ (i.e. miniorange.com) then you can simply enable the restrict toggle button and enter miniorange.com in the input tag.