Attribute & Role Mapping
It is the on-the-fly assignment of specific attributes/groups to your users as they are present in your IdP. When the user performs the SSO, the IDP sends over some attributes like NameID, Email, etc. which are then used to assign the users with specific functionalities like access or restrict the resources. The Attribute / Role Mapping tab allows you to enable these certain property-specific functionalities for your users during SSO
This section contains the following 3 sections:
1. Attribute Mapping
Attributes are the user details that are stored in your identity provider. These attributes include Username, Email, First Name, Last Name, Group/Role, Display Name, etc. The Attribute Mapping feature helps you to map these user attributes sent by the IDP to the nopCommerce user attributes.
-
Every time your users SSO into your nopCommerce site or store, these attributes will be automatically mapped to your nopCommerce's user profile.
-
If any existing user performs the SSO, then their application account will be fetched and their profile will be updated based on attributes received from the IDP.
-
By default, the Username and Email are the two basic attributes that are used for attribute mapping. Generally, the NameID value is what’s used for this purpose.
-
You can choose and set attributes sent by the IDP to be mapped with attributes like FirstName and LastName.
-
The Group/Role field can be used as a group transformation attribute. You can map the Group/Role field to the attribute name in which IDP is sending the user's information.
-
Depending on the value of the Group attribute, you can assign single or multiple roles to the users. Custom roles are also supported for the mapping. Please refer to the role mapping section for more information.
Map Custom Attributes
-
It provides an additional feature to Map Custom Attributes to nopCommerce users. Using this feature you can map and access additional attributes received from the IDP in your application.
-
Suppose, you want to map attributes like Phone no., City, State, and Department etc., you will simply have to add these attributes in your IDP and set them up into your Custom attribute mapping to map with their equivalent attributes.
-
For example, the image below shows the above attributes which are sent from the identity provider appropriately added and mapped to their equivalent attributes name.
2. Role Mapping
-
This feature can be used to assign different roles to the users based on their SAML attributes. The particular roles will be applied to users once they meet the specified conditions while logging into nopCommerce via Single Sign-On.
-
This feature allows you to provide user capabilities based on their IdP attribute Group values.
-
If the admin wants users of a particular IDP group(s) to be restricted from logging in to the site, this feature can be enabled by providing the group value(s).
-
This feature can be used where we have a group of students with Off-Campus Registration. They have been assigned a IDP group ‘Outside Users’ and the admin does not want those users to access the site.
3. Domain Restriction
This feature can be used to restrict/allow the user access to the application based on the domain of their email address.
- You can provide multiple domains to restrict by entering domain values separated by comma(,).
It has the following 2 ways to use this feature:
-
Allow users to login with specified domains: If enable this feature then only the users of specified domains will be allowed to log in or register.
-
Deny users to login with specified domains: If enable this feature then users of specified domains will be restricted from login in. The remaining users will be allowed to log in.
Now, for eg. If you want users of ‘miniOrange’ (i.e. miniorange.com) to not log in to your site, then you can simply enter miniorange.com in the input tag and select the radio button Deny users to login with specified domains.
SSO Restriction based on Roles:
-
Allow users with the selected role to login.
-
Deny users with the selected role to login.