6.4 Mapping attributes
Once you have configured your external identity provider, you must configure MyID to process the attributes returned in the claims, and map them to MyID attributes.
6.4.1 Finding a list of available claims
To determine which claims are returned from your external identity provider, you can enable logging for the web.oauth2 service.
See the MyID REST and authentication web services section in the Configuring Logging guide for details of enabling logging. Set the log level to INFO.
Once you have edited the Log.config file, add the following minimal Mappings section to the entry for your external identity provider in the ExternalProviders array of the appsettings.Production.json file for the web.oauth2 service:
"Mappings":[
{
"Match":{
},
"Attributes":[
{
"From":"givenName",
"To":"FirstName"
},
{
"From":"surname",
"To":"Surname"
},
{
"From":"",
"To":"Roles",
"Static":"<role name='Cardholder' scope='1'/>"
},
{
"From":"",
"To":"GroupName",
"Static":"Imported From External IDP"
},
{
"From":"",
"To":"ParentGroupName",
"Static":"External"
}
]
}
]This set of mappings provides a minimal set of data to allow the web.oauth2 service to attempt to carry out a logon using the external identity provider; it does not allow you to log on, but allows MyID to retrieve the claims information from the external identity provider.
Save the file, then recycle the application pool in IIS to ensure that the web service is using the latest settings.
- On the MyID web server, in Internet Information Services (IIS) Manager, select Application Pools.
- Right-click the myid.web.oauth2.pool application pool, then from the pop-up menu click Recycle.
You can now attempt to log on to MyID using the external identity provider. The attempt fails with error OA10077, but the log displays a list of the claims returned from the identity provider that you can use to set up your mappings.
For example:
<LogEntry Type="InfoMessage">
<TimeStamp>2024-02-22 14:42:15.560</TimeStamp>
<ManagedThreadID>5</ManagedThreadID>
<Class>Intercede.MyID.Logging.Log4Net.Log4NetLogger</Class>
<Method>Microsoft.Extensions.Logging.ILogger.Log</Method>
<Message>List of all claims available from provider: @odata.context: https://graph.microsoft.com/v1.0/$metadata#users/$entity,
businessPhones: ["259"],
displayName: Susan Smith,
givenName: Susan,
jobTitle: Business Analyst,
mail: [email protected],
mobilePhone: ,
officeLocation: Headquarters,
preferredLanguage: ,
surname: Smith,
userPrincipalName: [email protected],
id: b0e777c5-02ff-4669-9c99-18780b334bd7</Message>
</LogEntry>6.4.2 Matching attributes
You can use the Match option to restrict the users who can authenticate using the external identity provider by specifying a value for one of the claims returned.
For example, you may want to allow access only to people where the officeLocation claim is set to Headquarters:
"Match": {
"officeLocation": "Headquarters"
},6.4.3 Mapping attributes
You can include multiple items in the Attributes array. Each item can have the following properties:
-
From
The name of the claim in the external identity provider. The available claims are different for each identity provider; see section 6.4.1, Finding a list of available claims for assistance in determining which claims are available to you.
-
To
The name of the field in MyID to which to map the attribute. This must match a column name in the vPeopleUserAccounts view in the MyID database.
If you are creating a user in MyID, you must provide mappings for the FirstName, Surname, or both fields in MyID. You must also provide the FullName; for example:
Copy{
"From": "displayName",
"To": "FullName"
},
{
"From": "givenName",
"To": "FirstName"
},
{
"From": "surname",
"To": "Surname"
}, -
Mandatory
If set to true, this claim must be present in the external information for the user to be valid.
-
Unique
If set to true, this value must be unique in MyID for the user to be valid.
Important: This is used as the primary lookup value when searching for the user in MyID; you must include at least one Unique attribute.
You are recommended to use a unique reference (such as a GUID) supplied from the external identity provider; you can store this value in a MyID attribute to create a link between the user in the external identity provider and MyID.
MyID provides the following fields:
-
XuSYSExternalReferenceId1
-
XuSYSExternalReferenceId2
-
XuSYSExternalReferenceId3
that you can use to store the unique ID. If you have up to three external identity providers, you can use a different field for each.
For example:
Copy{
"From": "id",
"To": "XuSYSExternalReferenceId1",
"Mandatory": true,
"Unique": true,
"Update": true
}, -
-
Update
If set to true, and the Action configured for the provider is Update or CreateAndUpdate, MyID uses the information from the claim to update the user record in the MyID database.
-
LookupExisting
If the primary lookup value (that is, the claim set to Unique) is unable to find a match, this acts as a fallback option. If there are still no matching users for LookupExisting, the operation moves on to create a new user or to fail logon, depending on the Action setting. This feature is intended for the case where a user may have been created not from the external identity provider (so the Unique reference is not yet set), but you want to look up an existing user in MyID (for example, by UserPrincipalName or Email) and then update the Unique reference to create the permanent link.
For example:
Copy{
"From":"userPrincipalName",
"To":"UserPrincipalName",
"LookupExisting":true,
"LdapSync":true
} -
LdapSync
If set to true, the search operation also checks the LDAP for valid matching users to import additional user data from the directory, using the field specified in the To property and the value specified for this attribute. The value of the To property must be a value in the LDAPLookUp table.
Important: If you enable LookupExisting or LdapSync on an attribute, you must be certain that the source of that data from the external identity provider is trustworthy. If you use these features and the source of the mapped attribute used for LookupExisting or LdapSync can be controlled by the end user or another untrusted individual, it can enable the user authenticating with that identity provider to impersonate a user in MyID, either by assigning the external identity provider authentication mechanism to that existing user account or by importing data (such as the DN) from the LDAP that belongs to another person who is looked up by that attribute.
-
Static
If there is extra information that you needs to provide that does not come from the external provider, such as MyID roles and groups, you can include the information in a Static attribute.
If you are creating a user in MyID, you must provide static mappings for the roles you want to set for the user, and a group into which you want to place the user.
To set roles for a user, you must provide XML that describes the roles and scope you want to provide. You can provide multiple roles. Use the following format:
<role name ='name' scope='scope'/>
where:
-
name – the name of the role from the Name field in the UserProfiles table in the MyID database.
-
scope – the ID of the scope. You can use the following:
-
1 – Self
-
2 – Department
-
3 – Division
-
4 – All
-
For example:
Copy{
"From": "",
"To": "Roles",
"Static": "<role name='Cardholder' scope='1'/><role name='PasswordUser scope='2'/>"
}To set a group for a user, you must set the To attribute to GroupName and the Static value to the name of the group. To set the parent group of the group you are setting for a user, you must set the To attribute to ParentGroupName, and the Static value to the name of the parent group.
For example:
Copy{
"From": "",
"To": "GroupName",
"Static": "Imported Group"
},
{
"From": "",
"To": "ParentGroupName",
"Static": "External"
} -