Claim mappings
Per account provider it is possible to configure claim mappings.
Claim mappings can be used to
- pass-through incoming attributes or roles
- add additional attributes as claim to all or specific accounts
- map an incoming attribute to another (custom) attribute
Claim mappings are available to all account providers, including the following:
- Built-in Username and Password account provider
- SAMLP account provider
- WS-Fed account provider
- Office 365 account provider
- Smart card account providers : eID, UZI-pas (On premises only)
- Social account providers: Facebook, Google, Instagram, Twitter,...
- Trusted account providers (On premises only)
| Parameter | Description |
|---|---|
| Remove all incoming claims that are not mapped | Only explicitly mapped incoming claims by type and value (when specified) are mapped. All other incoming claims are ignored. |
| Source claim (optional) | The type of the incoming claim to be mapped. |
| Source claim value (optional) | The value of the incoming claim type to be mapped or used as filter. When omitted all incoming claims of the type will be mapped. |
| Destination claim | The claim type to map the incoming claim to. |
| Destination claim value (optional) | The claim value to set for the mapped incoming claim. When omitted the value of the incoming claim is used. |
See further for Example cases.
How to add a claim mapping
- Navigate to the Account Providers Admin Page (https://www.theidentityhub.com/{tenant}/Admin/AccountProvider) of your Tenant.
- Click the Account Provider of your choice and choose to Edit it
- Go to the Claim Mappings tab page
- On the top of the page enter the claim mapping rule you want to add and click the Add button, or pick a type of claim mapping rule from the quick add wizard menu.
- Click Save.
How to edit a claim mapping
- Navigate to the Account Providers Admin Page (https://www.theidentityhub.com/{tenant}/Admin/AccountProvider) of your Tenant.
- Click the Account Provider of your choice and choose to Edit it
- Go to the Claim Mappings tab page
- In the list of existing claim mappings update the claim mapping rule
- Click Save.
How to remove a claim mapping
- Navigate to the Account Providers Admin Page (https://www.theidentityhub.com/{tenant}/Admin/AccountProvider) of your Tenant.
- Click the Account Provider of your choice and choose to Edit it
- Go to the Claim Mappings tab page
- In the list of existing claim mappings click the bin button at the line of the claim mapping rule you want to delete
- Click Save.
Example cases
| Source claim (optional) | Source claim value (optional) | Destination claim | Destination claim value (optional) | Example Description |
|---|---|---|---|---|
| http://schemas.microsoft.com/ws/2008/06/identity/claims/role | http://schemas.microsoft.com/ws/2008/06/identity/claims/role | Pass-through role mapping ADFS 'as is' | ||
| http://schemas.microsoft.com/ws/2008/06/identity/claims/role | Reader | http://schemas.microsoft.com/ws/2008/06/identity/claims/role | ReadOnly | Transform role mapping ADFS |
| http://schemas.microsoft.com/ws/2008/06/identity/claims/role | TIH user | Assign a role | ||
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | Pass-through name attribute | ||
| http://yourschema.yourdomain.com/ws/2019/08/identity/claims/customattribute | fixed value | Assign a custom attribute with a configured fixed value | ||
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | [User's Name Claim Value] | http://yourschema.yourdomain.com/ws/2019/08/identity/claims/customattribute | fixed value | Assign a custom attribute with a configured fixed value to a specific user |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | http://yourschema.yourdomain.com/ws/2019/08/identity/claims/customattribute | fixed value | In case the incoming claims contain an attribute of type emailaddress an additional claim of your custom type will be added with a configured fixed value |
User's Name Claim Value
When setting a claim rule for 1 specific user, as an administrator you can get the value by :
- Search the identity of the user in the Users
- Click the user and then go to Accounts
- Find the tile related to the account provider on which you plan to add the claim mapping for this user.
The value needed is indicated italic and preceded by an id badge symbol.