000030136 - RSA Federated Identity Management attribute mapping

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 31, 2018
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000030136
Applies ToRSA Product Set: ClearTrust
RSA Product/Service Type: Federated Identity Manager
RSA Version/Condition: 4.1, 4.2
Platform: WebLogic
An actual attribute in the RSA Access Manager datastore is employeeID.

The current SAML is generating  as mentioned below (with standard extended configuration settings) – 
extended attribute settings


<saml:Attribute FriendlyName="UPN"

The request is for a SAML attribute as shown here: 

<saml:Attribute FriendlyName="UPN"

There is also a request for a different namespace that those available from drop down.
ResolutionThere are two out of the box changes required to achieve the desired namespace and name.

To correct the namespace issue simply enter the namespace you desire if it is not available in the attribute set.

Including a different namespace that those available from drop down

  1. First, set both the Attribute Friendly Name and the Attribute Name or Filter to the same string of UPN, as shown here:

User-added image

  1. Use the attribute remapping feature in the attribute plugin.  The attribute list will not be used to fetch the attribute if mapping is enabled.

attribute mapping

If  mapping is NOT in use, FIM uses the attribute set. If attribute is mapped in the plugin, it uses the mapped value on the right of the equal sign to fetch the attribute from the RSA Access Manager map of attributes, as well as the two names used in the attribute assertion are the ones from the attribute set.
NotesIdP sending assertion with attributes.
For Access Manager as WAM and standard ctBasicAPattributePlugin