The SAML claims defined in the RP (ADFS Relying Party or Azure AD application) must match the SAML claims defined in EAM. If the RP defines SAML claims that EAM does not use, the extra claims are harmless but will be ignored.
For ADFS these claims can be created using the claimrules.ps1 script.
|
Claim Name |
Value with Azure AD |
Value with Okta |
|
http://schemas.hexagon.com/claims/Identity |
user.userprincipalname |
user.login |
|
http://schemas.hexagon.com/claims/Description |
user.displayname |
|
|
http://schemas.hexagon.com/claims/DisplayUser |
user.displayname |
user.email |
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
user.mail |
user.email |
|
http://schemas.microsoft.com/ws/2008/06/identity/claims/role |
A constant, or one of more group names |
Group attribute statement |
|
http://schemas.hexagon.com/claims/Customer |
Constant string |
Constant string |
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn |
user.userprincipalname |
user.login |
|
http://schemas.xmlsoap.org/claims/Group |
user.assignedroles |
Group attribute statement |
Notes on these claims:
-
Identity: The value of this claim is an identifier that uniquely identifies the end user in the EAM database (r5users table). It must correspond to either the usr_code or the usr_externcode in r5users. The recommended value for this claim is the UPN. However, if externcodes are already set up in r5users with a different value (e.g. the email address), that value should be used instead.
-
For on-premise installations, the name identifier type must be set in ‘transient’ in the IDP.
-
Role: the role claim is used only to perform Just In Time (JIT) user creation in EAM. The simplest way to configure JIT user creation is to (1) return a list of the groups the user belongs to in the role claim, (2) create corresponding roles in EAM, and (3) set the SSOROLES install parameter. This install parameter specifies the order of priority of roles in the SAML response when more that one value is returned.