Mapping SAML Attributes

Updated

You can map attributes in the identity provider (IdP) response to custom attributes used in the Commvault software. For example, by default, a user email address is expected in the NameID element in the IdP response. If your IdP sends the user email address in an attribute instead of in the NameID element, you can map that attribute name to a custom attribute (for example, Email) so that the value of the attribute is used for the user email address.

Available Attributes

You can map IdP response attributes to the custom attributes in the following table. Your mappings take precedence over default sources.

Custom Attribute

Description

Email

The mapping for the email attribute is used to validate the user when they log on. The default source for the email attribute is the NameID element.

<Subject>  <NameID>jvinnakota@mycompany.com</NameID>  ...

</Subject>

user name

The mapping for the user name attribute is used to validate users when they log on. The default source for the user name attribute is the NameID element.

<Subject>  <NameID>jsmith</NameID>  ...

</Subject>

full name

The mapping for the full name attribute is used to populate the full name of a user in the CommCell environment.

User Principal Name

The mapping for the User Principal Name attribute is used to validate users when they log on. The default source for the User Principal Name attribute is the NameID element.

<Subject>  <NameID>jsmith2@mycompany.com</NameID>  ...

</Subject>

user guid

If the Auto create user option is selected, the mapping for the user GUID attribute is used as the user GUID. If the Auto create user option is selected and a mapping is not provided, the user GUID is a system-generated value.

user groups

The mapping for the user groups attribute is used to associate or disassociate the user with user groups that were added to the CommCell environment.

SID

Group SID

Applies to: Active Directory identity providers

The mappings for the SID attribute and the group SID attribute are used to facilitate the access control list (ACL) browse for agents such as the Windows File System Agent and the SharePoint Server Agent.

company name

Applies to: Multi-tenant CommCell environments

The mapping for the company name attribute is used to configure SAML authentication at the CommCell level. The SAML authentication applies to all companies in the CommCell environment.

Procedure

  1. From the navigation pane, go to Manage > Security.

    The Security page appears.

  2. Click the Identity servers tile.

    The Identity servers page appears.

  3. In the Name column, click the name of the SAML application.

    The SAML application properties page appears.

  4. On the General tab, in the Attribute mappings section, click the Edit button .

    The Edit attributes dialog box appears.

  5. From the Custom attribute list, select the custom attribute to map the IdP response to.

    For example, if the IdP response attribute is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, select Email.

  6. In the SAML attribute box, enter the attribute name based on the format in the IdP response:

    • To add the attribute name using the URL format (for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress), in the SAML attribute box, add the URL.

    • To add the attribute name using the generic name format (for example, uname), in the SAML attribute box, enter the name.

  7. Click Add.

  8. Click Save.

Examples

The following are example mappings and the results of the mappings:

SAML Attribute

Custom Attribute

Attribute Statement

Result

  • Generic format: mail

  • URL format: http://schemas.microsoft.com/2012/12/certificatecontext/field/subject

Email

  • Attribute in generic format:

    <AttributeStatement>

    <Attribute Name="mail">

    <AttributeValue>jvinnakota@mycompany.com</AttributeValue>

    </Attribute>

    </AttributeStatement>
  • Attribute in URL format:

    <AttributeStatement>  <Attribute Name="http://schemas.microsoft.com/2012/12/certificatecontext/field/subject">    <AttributeValue>jvinnakota@mycompany.com</AttributeValue>  </Attribute>

    </AttributeStatement>

The value jvinnakota@mycompany.com is used during auto-creation and to validate the user.

  • Generic format: uname

  • URL format: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

user name

  • Attribute in generic format:

    <AttributeStatement>

    <Attribute Name="uname">

    <AttributeValue>bwang</AttributeValue>

    </Attribute>

    </AttributeStatement>
  • Attribute in URL format:

    <AttributeStatement>

    <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">

    <AttributeValue>bwang</AttributeValue>

    </Attribute>

    </AttributeStatement>

The value bwang is used to set as the username and to validate the user.

  • Generic format: UPN

  • URL format: http://schemas.xmlsoap.org/claims/upn

User Principal Name

  • Attribute in generic format:

    <AttributeStatement>

    <Attribute Name="UPN">

    <AttributeValue>jsmith2@mycompany.com</AttributeValue>

    </Attribute>

    </AttributeStatement>
  • Attribute in URL format:

    <AttributeStatement>

    <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn">

    <AttributeValue>jsmith2@mycompany.com</AttributeValue>

    </Attribute>

    </AttributeStatement>

The value jsmith@mycompany.com is used during auto-creation and to validate the user.

  • Generic format: usergroup

  • URL format: http://schemas.xmlsoap.org/claims/Group

user groups

  • Attribute in generic format:

    <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">

    <saml2:Attribute Name="usergroup">

    <saml2:AttributeValue>Domain Users</saml2:AttributeValue>

    </saml2:Attribute>

    </saml2:AttributeStatement>
  • Attribute in URL format:

    <Attribute Name="http://schemas.xmlsoap.org/claims/Group">

    <AttributeValue>Domain Users</AttributeValue>

    </Attribute>

The logged-in user will be associated to Domain Users group.

If the SAML application is created at the CommCell level, you must create a user group with the same name in the CommCell.

If the SAML application is created for any particular tenant, you must create a user group with the same name in the tenant.

  • Generic format: company

  • URL format: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/organization

company name

  • Attribute in generic format:

    <Attribute Name="company">

    <AttributeValue>MyCompany</AttributeValue>

    </Attribute>
  • Attribute in URL format:

    <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/organization">

    <AttributeValue>MyCompany</AttributeValue>

    </Attribute>

MyCompany is identified as a valid company in the CommCell environment, and the user is allowed to log on and view MyCompany information.