IdP attribute mapping
Any user information stored in the Identity Provider will be relayed to DigiCert ONE through Open ID Connect (OIDC) or SAML during the user login process. For each federated protocol, the following is used to relay the information with samples:
OIDC - ID Token claims
"sub": "00abcdflw9aF77gpMzx7", "name": "John Doe", "first_name": "John", "last_name": "Doe", "email": "john.doe@digicert.com", "iss": "https://dev-261562.okta.com/oauth2/default", "aud": "0abcdfnf0cqdZb0Hy4x7", "iat": 1711073571, "exp": 1711077171, "preferred_username": "john.doe@digicert.com", "auth_time": 1711073568, "groups": [ "Everyone", "Support Group" ]
SAML - SAML attributes
... <AttributeStatement> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <AttributeValue>user1@test.digicert.com</AttributeValue> </Attribute> <Attribute Name="firstName"> <AttributeValue>Demo</AttributeValue> </Attribute> <Attribute Name="lastName"> <AttributeValue>User1</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/claims/Group"> <AttributeValue>CN=DigiCert Test Users,CN=Users,DC=test,DC=digicert,DC=com</AttributeValue> <AttributeValue>CN=Remote Management Users,CN=Builtin,DC=test,DC=digicert,DC=com</AttributeValue> <AttributeValue>CN=Remote Desktop Users,CN=Builtin,DC=test,DC=digicert,DC=com</AttributeValue> </Attribute> </AttributeStatement> ...* The value of the information can either be a single string or a list of strings.
There are required attributes that need to be relayed in order for the user creation process to succeed:
Email: “email”
First name: Can be any from “given_name”, “first_name”, “firstname”, or “givenname”
Last name: Can be any from “last_name”, “lastname”, “familyname”, “family_name”, or “surname”
The above configuration depends on the Identity Provider you are using for your organization. Refer to the provider documentation on how to add claims to the ID Token for OIDC, or add attributes for SAML.