Claims are name/value pairs that originate with an identity provider. You can map identity provider claims to User, Group, or Provide a value (for a custom claim) in Smart API Manager. You can also combine the mappings.
-
If you map a claim to User, you can use the claim's value as an external identity for a user.
-
If you map a claim to Group, you can use the claim's value as an external identity for a group.
-
If you map a claim to a custom name (Provide a value), the custom claim is passed through to the id and access tokens retrieved during authentication.
The sub and name claims are always passed through to the id and access tokens, even without the custom name mapping. However, if the value of these claims is transformed using regular expressions (see Modify claim values via regex), you must map the claim to a custom name. That is, you can map sub to sub and/or name to name to pass through the transformed claim value in the tokens.
For example, you add an OpenID Connect identity provider called MyProvider. One of the available claims for OpenID Connect is email, and you want to use email value(s) to identify user(s).
Include email as a Scope value in Settings to use an email value for identity.
In the Claims section for the identity provider, the Provider Claim (email) value can map to: User, Group (or both). In this example, let's map to User and email (meaning the email claim/value is passed through to the id and access tokens):
Provider Claim |
Value maps to... |
Default Value |
---|---|---|
|
User, email |
none |
With the Users feature in Smart API Manager, you can add an identity to a local user based on the claim mapping. For more information, see Add external identity provider credentials to a user.
For example, you select the System Administrator user and edit the user's External Identities to Add external identity. You select the identity provider (MyProvider), enter the email value for the desired user, and save the changes:
Identity Provider |
Name |
---|---|
MyProvider |
joe_user@gmail.com |
Now, when Joe User authenticates, or logs in, using MyProvider, he has the same privileges and access as the System Administrator user in Smart API Manager.
To map claims
-
Click the Add a provider claim box.
-
Type a claim name (to filter the available claims) or select directly from the list, and click ADD.
-
Click Provide a value (under the Value maps to column) and select User, Group (or both).
If you want to pass through the claim to id and access tokens, click Provide a value, type a claim name, click SAVE, and select the custom claim name.
-
Click Provide a value (under the Default Value column) and enter a default value, if needed. Otherwise, leave the value blank.
-
Click NEXT.
-
If you are ready for the identity provider to be available for use, click the Enable identity provider check box to change the status to Enabled .
-
Click NEXT and then FINISH.