Attribute & Role Mapping


The Attribute Mapping/Role Mapping is a functionality in Umbraco SAML 2.0 plugin which is used to map the user attributes/roles in IDP with the Umbraco.

Attribute Mapping - Attribute mapping involves mapping user attributes from the IdP with the umbraco user attributes.

Role Mapping - Role mapping is the process of mapping user roles from the IdP with the umbraco user roles.

  1. How Basic Attribute Mapping Works
    Attributes are the user details that are stored in your Identity Provider. These attributes include Username, Email, First Name, Last Name, Group/Role, Display Name, etc.

    • By default, the Username and Email are the two basic attributes that are used for attribute mapping. Generally, the NameID value is what’s used for this purpose.

    • You can choose and set attributes sent by the IDP to be mapped with attributes like FirstName and LastName.

    • The image below shows the basic attributes which are sent from the Identity Provider appropriately added and mapped with their equivalent Umbraco SAML Plugin attributes.

    Umbraco SAML Single Sign-On (SSO) - Umbraco SAML SSO - SAML for Umbraco - Image of Attribute Mapping section

    How Custom Attribute Mapping Works

    • It provides an additional feature to Map Custom Attributes to the Umbraco users. Using this feature you can map and access additional attributes received from the IDP in your site.

    • Suppose, you want to map attributes like Phone no.,Permanant Address, City, State etc., you will simply have to add these attributes in your IDP and set them up into your Custom attribute mapping to map with their equivalent attributes.

    • For example, the image below shows the above attributes which are sent from the Identity Provider appropriately added and mapped to their equivalent attributes name.

    Umbraco SAML Single Sign-On (SSO) - Umbraco SAML SSO - SAML for Umbraco - Image of Custom Attribute example

  2. How Role Mapping Works

    • This feature can be used to assign and manage roles of the users when they perform SSO.

    • This feature allows you to provide user capabilities based on their IdP attribute Group values.

    • Before enabling this setting, please make sure you’ve configured the attribute name in the Group/Role field of the Attribute Mapping section.

    • For e.g.: You can map your IdPs ‘Educator' and ‘Supporter’ roles of your IDPs group Attribute 'MyIDPGroups' to your Umbraco ‘Teachers’ and 'SupportStaff’ as shown in image below.

      Umbraco SAML Single Sign-On (SSO) - Umbraco SAML SSO - SAML for Umbraco - Image of role mapping section

  3. How Domain Restriction Works

    • This feature can be used to restrict user access to the site based on the domain of their mapped “Email“ Attribute.

    • You can provide multiple domains to restrict by entering a domain values separated by comma(,).

      Umbraco SAML Single Sign-On (SSO) - Umbraco SAML SSO - SAML for Umbraco - Image of Domain Restriction

    • Now, for eg. If you want to restrict the user access to ‘miniOrange’ (i.e. miniorange.com) then you can simply enable the restrict toggle button and enter miniorange.com in the input tag.