This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Claim mapping for a service provider involves mapping claims that are used by the service provider to the claims local to the WSO2 Identity Server. See the Identity Server Architecture for more information on how claim mapping fits in to the overall scheme of things.

In the Claim Configuration form, select the claim mapping dialect by either choosing to use a local claim dialect or define your own custom claim dialect.

  • If you choose to Use Local Claim Dialect, you need to fill in the following details.
    1. Fill in your requested claims by clicking the Add Claim URI button.
    2. Choose your Local Claim from the dropdown. 
    3. Select the Mandatory Claim checkbox if it is a mandatory claim for the service provider. 
  • If you choose to Define Custom Claim Dialect, you need to do the following. 
    1. Add a custom claim URI by clicking on the Add Claim URI button. Clicking this button again enables you to map more claims.
    2. Add the Service Provider Claim and choose the corresponding Local Claim from the dropdown. 
    3. Select the Requested Claim checkbox if you want it to be a requested claim. Select the Mandatory Claim checkbox if the claim is a mandatory claim for the service provider. 

      Information on mapping claims

      The Local Claim list includes a set of standard claim values which are local to the WSO2 Identity Server. When adding a service provider, it is necessary to map the values of the claims local to the service provider with those provided in this dropdown list which are local to the Identity Server. This should be done for all values in the service provider unless they use the same claim name.

      Marking a claim as a Mandatory Claim ensures that the WSO2 Identity Server definitely sends a value for this claim to the service provider. If the identity provider does not provide a value for any of the mandatory claims when the user logs in to this service provider, the user will be prompted to provide them at the point of login as seen on the window below.

      Marking a mapped claim as a Requested Claim ensures that the service provider definitely sends this claim to the Identity Server. This is useful particularly in cases where there are hundreds of claims and only specific ones need to be sent to the Identity Server.

  • Select the Subject Claim URI and the Role Claim URI (for custom claims) from the dropdown. The claims you mapped are listed in the dropdown and you can choose among these claims.

    • When the authentication request comes into the Identity Server, the value of the claim specified as the Subject Claim URI is added to the authentication request. To expand more, when the user logs into the Identity Server, it identifies the user store that the user belongs to. The value of the claim specified as the Subject Claim URI can be found in this user store. This value corresponding to the claim is sent along with the authentication request.
    • The Role Claim URI is used to identify the claim that equates to the role of the user. This is linked to the permissions that you can apply for specific user roles.

Test mandatory claims

To see a sample of how the mandatory claims work, follow the steps below. 

  1. Configure the Travelocity sample application. For instructions on how to do this, see Configuring Single Sign-On.
  2. Configure a few claims as described in the Configuring Single Sign-On topic and select the Mandatory Claim checkbox for mandatory claims. Make sure there are one or more claims missing in the user’s profile that you wish to login with.
  3. Run the Travelocity sample application and click on Click here to login with SAML from Identity Server
  4. After submitting the username and password, the claim request page is prompted as some of the mandatory claims are missing. 
  5. Provide the mandatory claim values and click Submit. You will now be logged into the application. 
Related Topics
  • No labels