Mapping SAML Attributes

You can map attributes in the identity provider (IdP) response to user attributes used in the Commvault software. For example, by default, a user email address is expected in the NameID element in the IdP response. If your IdP sends the user email address in an attribute instead of in the NameID element, you can map that attribute name carrying the value of email to user attribute (for example, Email) so that the value of the attribute is used for the user email address.

Available Attributes

You can map IdP response attributes to the user attributes in the following table. Your mappings take precedence over default sources.

User Attribute

Details

user name

The mapping for the user name attribute is used to validate the user when they log on. The default source for the user name attribute is the NameID element.

<Subject> <NameID>jknight</NameID> ...
</Subject>

user groups

The mapping for the user groups attribute is used to associate or disassociate the user with domain groups (external groups) that were added to the Commvault environment.

email

The mapping for the email attribute is used to validate the user when they log on. The default source for the email attribute is the NameID element.

<Subject> <NameID>jknight@mycompany.com</NameID> ...
</Subject>

user GUID

If the Auto create user option is selected, the mapping for the user GUID attribute is used as the user GUID. If the Auto create user option is selected and a mapping is not provided, the user GUID is a system-generated value.

SID

Applies to: Active Directory identity providers

The mappings for the SID attribute and the group SID attribute are used to facilitate the ACL (Access Control List) browse for agents such as the Windows File System Agent and the SharePoint Server Agent.

Group SID

company name

Applies to: Multi-tenant Commvault environments

The mapping for the company name attribute is used to configure SAML authentication at the CommCell level. The SAML authentication applies to all companies in the Commvault environment. For instructions about configuring SAML authentication at the CommCell level, see Configuring SAML Authentication for All Tenants .

Procedure

  1. From the navigation pane, go to Manage > Security > Identity server.

    The Identity servers page appears.

  2. In the Application name column, click the application name.

    The application details page appears.

  3. Under Attribute mappings, click Edit.

    The Edit attributes dialog box appears.

  4. Click Add mappings.

  5. Enter the attribute name based on the format in the IdP response:

    • To add the attribute name in the URL format (for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress), in the SAML attribute box, add the URL.

      Attributes mapping_Attribute name

    • To add the attribute name in the generic name format (for example, uname), in the SAML attribute box, enter the name

      Attribute Box Generic Attribute Name

  6. From the User attributes list, select the user attribute that the IdP response attribute maps to.

    For example, if the IdP response attribute is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, click Email.

  7. To add additional mappings, click Add mappings.

    Note

    If you add a user name mapping, you must add an email mapping too.

  8. Click Save.

Examples

The following samples are mappings and the results of the mappings:

SAML Attribute

User Attribute

Attribute statement

Result

Generic format: uname

URL format:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

user name

Attribute in generic format:

 <AttributeStatement>
            <Attribute Name="uname">
                <AttributeValue>jdoe</AttributeValue>
            </Attribute>
        </AttributeStatement>

Attribute in URL format:

<AttributeStatement>
            <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                <AttributeValue>jdoe</AttributeValue>
            </Attribute>
        </AttributeStatement>

The value jdoe is used to validate the user.

Generic format: mail

URL format: http://schemas.microsoft.com/2012/12/certificatecontext/field/subject

email

Attribute in generic format:

<AttributeStatement>
            <Attribute Name="mail">
                <AttributeValue>jknight@mycompany.com</AttributeValue>
            </Attribute>
        </AttributeStatement>

Attribute in URL format:

<AttributeStatement> <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/field/subject"> <AttributeValue>jknight@mycompany.com</AttributeValue> </Attribute>
</AttributeStatement>

The value jknight is used to validate the user.

Generic format: usergroup

URL format: http://schemas.xmlsoap.org/claims/Group

user groups

Attribute in generic format:

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:Attribute Name="usergroup">
                <saml2:AttributeValue>Domain Users</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>

Attribute in URL format:

<Attribute Name="http://schemas.xmlsoap.org/claims/Group"> <AttributeValue>Domain Users</AttributeValue>
</Attribute>

The user is associated with the Domain Users group.

Generic format: company

URL format: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/organization

company name

Attribute in generic format:

<Attribute Name="company"> <AttributeValue>MyCompany</AttributeValue>
</Attribute>

Attribute in URL format:

<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/organization"> <AttributeValue>MyCompany</AttributeValue>
</Attribute>

MyCompany is identified as a valid company in the Commvault environment, and the user is allowed to log on and view MyCompany information.

For instructions about configuring SAML authentication at the CommCell level, see Configuring SAML Authentication for All Tenants .

Loading...