Mapping SAML Attributes

You can map attributes in the identity provider (IdP) response to user attributes used in the Commvault software. For example, by default, a user email address is expected in the NameID element in the IdP response. If your IdP sends the user email address in an attribute instead of in the NameID element, you can map that attribute name carrying the value of email to user attribute (for example, Email) so that the value of the attribute is used for the user email address.

Available Attributes

You can map IdP response attributes to the user attributes in the following table. Your mappings take precedence over default sources.

User Attribute	Details
user name	The mapping for the user name attribute is used to validate the user when they log on. The default source for the user name attribute is the NameID element. `<Subject> <NameID>jknight</NameID> ... </Subject>`
user groups	The mapping for the user groups attribute is used to associate or disassociate the user with domain groups (external groups) that were added to the Commvault environment.
email	The mapping for the email attribute is used to validate the user when they log on. The default source for the email attribute is the NameID element. `<Subject> <NameID>jknight@mycompany.com</NameID> ... </Subject>`
user GUID	If the Auto create user option is selected, the mapping for the user GUID attribute is used as the user GUID. If the Auto create user option is selected and a mapping is not provided, the user GUID is a system-generated value.
SID	Applies to: Active Directory identity providers The mappings for the SID attribute and the group SID attribute are used to facilitate the ACL (Access Control List) browse for agents such as the Windows File System Agent and the SharePoint Server Agent.
Group SID
company name	Applies to: Multi-tenant Commvault environments The mapping for the company name attribute is used to configure SAML authentication at the CommCell level. The SAML authentication applies to all companies in the Commvault environment. For instructions about configuring SAML authentication at the CommCell level, see Configuring SAML Authentication for All Tenants .

Procedure

From the navigation pane, go to Manage > Security > Identity server.

The Identity servers page appears.
In the Application name column, click the application name.

The application details page appears.
Under Attribute mappings, click Edit.

The Edit attributes dialog box appears.
Click Add mappings.
Enter the attribute name based on the format in the IdP response:
- To add the attribute name in the URL format (for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress), in the SAML attribute box, add the URL.
- To add the attribute name in the generic name format (for example, uname), in the SAML attribute box, enter the name
From the User attributes list, select the user attribute that the IdP response attribute maps to.

For example, if the IdP response attribute is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, click Email.
To add additional mappings, click Add mappings.

Note

If you add a user name mapping, you must add an email mapping too.
Click Save.

Examples

The following samples are mappings and the results of the mappings:

SAML Attribute	User Attribute	Attribute statement	Result
Generic format: uname URL format: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	user name	Attribute in generic format: `<AttributeStatement> <Attribute Name="uname"> <AttributeValue>jdoe</AttributeValue> </Attribute> </AttributeStatement>` Attribute in URL format: `<AttributeStatement> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"> <AttributeValue>jdoe</AttributeValue> </Attribute> </AttributeStatement>`	The value jdoe is used to validate the user.
Generic format: mail URL format: http://schemas.microsoft.com/2012/12/certificatecontext/field/subject	email	Attribute in generic format: `<AttributeStatement> <Attribute Name="mail"> <AttributeValue>jknight@mycompany.com</AttributeValue> </Attribute> </AttributeStatement>` Attribute in URL format: `<AttributeStatement> <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/field/subject"> <AttributeValue>jknight@mycompany.com</AttributeValue> </Attribute> </AttributeStatement>`	The value jknight is used to validate the user.
Generic format: usergroup URL format: http://schemas.xmlsoap.org/claims/Group	user groups	Attribute in generic format: `<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Attribute Name="usergroup"> <saml2:AttributeValue>Domain Users</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement>` Attribute in URL format: `<Attribute Name="http://schemas.xmlsoap.org/claims/Group"> <AttributeValue>Domain Users</AttributeValue> </Attribute>`	The user is associated with the Domain Users group.
Generic format: company URL format: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/organization	company name	Attribute in generic format: `<Attribute Name="company"> <AttributeValue>MyCompany</AttributeValue> </Attribute>` Attribute in URL format: `<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/organization"> <AttributeValue>MyCompany</AttributeValue> </Attribute>`	MyCompany is identified as a valid company in the Commvault environment, and the user is allowed to log on and view MyCompany information.

For instructions about configuring SAML authentication at the CommCell level, see Configuring SAML Authentication for All Tenants .

Mapping SAML Attributes

Available Attributes

Procedure

Examples

Related Topics