Required SAML attributes and mapping example

Required values

Your Attribute Mapping Policy must contain:

  • a minimum of one local rule
  • static or dynamically populated values for the following fields:
FieldDescriptionFormatCommon values
domainThe Identity or Account Domain that the Identity Provider is authorized to log users in to.Alphanumeric stringMust be set to your Identity Domain. The domain appears on the Details page for your Identity Provider.
nameThe username of your user as provided by your identity system.Alphanumeric stringSAML attributes:

NameID (persistent type preferred)
emailThe email address of your user as provided by your identity system.RFC-valid email addressSAML attributes:

rolesThe product RBAC (role-based access control) roles that you want to assign to the user.YAML array of alphanumeric stringsExample:
- "nova:admin"
- "lbaas:observer"
expiresThe amount of time after which users must reauthenticate with your identity system.ISO format time valuesExample: "PT12H (12 hours)


SAML attributes


Setting values with Attribute Mapping

You can set values either explicitly or by using Attribute Mapping Policy language features such as inline substitutions or XPath.

The following example syntax uses in-line substitutions in the local rule to concisely retrieve values and simplify the policy. There are additional ways to accomplish the same (or more complex) scenarios. For more examples and a complete guide to the Attribute Mapping Policy language, see the Appendix: Attribute Mapping Policy Reference.

DefaultRetrieves the value by looking for common locations or labels for the field. Note that at this time, only an attribute with the same name as the field is matched. For example, name: "{D}" matches the attribute with the name "{D}"
ExplicitDirectly input the values into the Attribute Mapping Policy fields. This is most useful for values that do not change for any federated user logging in, because they are applied to all federated users for this Identity Provider.expire: "PT12H"
Attribute matchingUses XPath to match a SAML attribute in your SAML assertion by name, returning one or more values.Single value return (At): email: "{At(urn:oid:1.2.840.113549.}"

Multi value return (Ats):
multiValue: true
value: "{Ats(}"
Path matchingUses XPath to match the path to a value in your SAML assertion by using the XML hierarchy or schema."{Pt(/saml2p:Response/saml2:Assertion/saml2:Conditions/@NotOnOrAfter[1])}"

Retrieves the value of NotOnOrAfter

Example policy with required attributes

The following Attribute Mapping Policy example uses explicit and SAML-provided values for mapping the required fields. Note that this is a basic example, and more customization might be required in some cases. For considerations for specific third-party SAML providers, see Configure Third-Party SAML providers.

For more examples and a complete guide to the Attribute Mapping Policy language, see the Appendix: Attribute Mapping Policy Reference.

 version: "RAX-1"
  # Comments are allowed in YAML
 - local:
       domain: "636462353"
       # Domain must be set to your Identity Domain
       name: "{D}"
       #  Username is set from the element named "name" value in your SAML
       email: "{At(}"
       #  Locates the attribute with the above URL as the claim type or name
       - "nova:observer"
       - "lbaas:admin"
       #  Assigns the roles explicitly listed above
       expire: "{Pt(/saml2p:Response/saml2:Assertion/saml2:Conditions/@NotOnOrAfter[1])}"
       #  Retrieves the NotOnOrAfter value by using the SAML path and XPath