SAML claims - HxGN EAM - 12.1.1 - Feature Briefs - Hexagon

HxGN EAM Single Sign-On

Language
English
Product
HxGN EAM
Search by Category
Feature Briefs
HxGN EAM Version
12.1.1

The SAML claims defined in the RP (ADFS Relying Party or Azure AD application) must match the SAML claims defined in EAM. If the RP defines SAML claims that EAM does not use, the extra claims are harmless but will be ignored.

For ADFS these claims can be created using the claimrules.ps1 script.

Claim Name

Value with Azure AD

Value with Okta

http://schemas.hexagon.com/claims/Identity

user.userprincipalname

user.login

http://schemas.hexagon.com/claims/Description

user.displayname

http://schemas.hexagon.com/claims/DisplayUser

user.displayname

user.email

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

user.mail

user.email

http://schemas.microsoft.com/ws/2008/06/identity/claims/role

A constant, or one of more group names

Group attribute statement

http://schemas.hexagon.com/claims/Customer

Constant string

Constant string

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

user.userprincipalname

user.login

http://schemas.xmlsoap.org/claims/Group

user.assignedroles

Group attribute statement

Notes on these claims:

  • Identity: The value of this claim is an identifier that uniquely identifies the end user in the EAM database (r5users table). It must correspond to either the usr_code or the usr_externcode in r5users. The recommended value for this claim is the UPN. However, if externcodes are already set up in r5users with a different value (e.g. the email address), that value should be used instead.

  • For on-premise installations, the name identifier type must be set in ‘transient’ in the IDP.

  • Role: the role claim is used only to perform Just In Time (JIT) user creation in EAM. The simplest way to configure JIT user creation is to (1) return a list of the groups the user belongs to in the role claim, (2) create corresponding roles in EAM, and (3) set the SSOROLES install parameter. This install parameter specifies the order of priority of roles in the SAML response when more that one value is returned.