IdP attribute mapping
Any user information stored in the Identity Provider will be relayed to DigiCert ONE through Open ID Connect (OIDC) or SAML during the user login process. For OIDC, all ID Token claims are relayed, and for SAML, all SAML attributes are relayed. This user information can be later used to restrict user access per certificate profile and use it as a certificate field source. For more details, see Create a DigiCert ONE Login profile.
There are required claims for OIDC and attributes for SAML that need to be relayed for the user creation process to succeed, so ensure that those values are configured in your Identity Provider. The configuration depends on the Identity Provider you are using for your organization. Refer to the provider documentation on how to add claims to the ID Token for OIDC, or add attributes for SAML.
OIDC - ID Token claims
Sample ID Token:
{ "sub": "00abcdflw9aF77gpMzx7", "name": "John Doe", "first_name": "John", "last_name": "Doe", "email": "john.doe@digicert.com", "iss": "https://dev-261562.okta.com/oauth2/default", "aud": "0abcdfnf0cqdZb0Hy4x7", "iat": 1711073571, "exp": 1711077171, "preferred_username": "john.doe@digicert.com", "auth_time": 1711073568, "groups": [ "Everyone", "Support Group" ] }
* The value of the claim can be either a single string or a list of strings. For the above sample,
Everyone
andSupport Group
, both are stored undergroups
.Required claims:
email
For first name, one of given_name, first_name, firstname, or givenname.
For last name, one of last_name, family_name, lastname, familyname, or surname.
SAML - SAML attributes
Sample SAML assertion:
<Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user1@test.digicert.com</NameID> ... </Subject> ... <AttributeStatement> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <AttributeValue>user1@test.digicert.com</AttributeValue> </Attribute> <Attribute Name="firstName"> <AttributeValue>Demo</AttributeValue> </Attribute> <Attribute Name="lastName"> <AttributeValue>User1</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/claims/Group"> <AttributeValue>CN=DigiCert Test Users,CN=Users,DC=test,DC=digicert,DC=com</AttributeValue> <AttributeValue>CN=Remote Management Users,CN=Builtin,DC=test,DC=digicert,DC=com</AttributeValue> <AttributeValue>CN=Remote Desktop Users,CN=Builtin,DC=test,DC=digicert,DC=com</AttributeValue> </Attribute> </AttributeStatement> ...
* The value of the information can be either a single string or a list of strings.
For the above sample, three attribute values are stored under
http://schemas.xmlsoap.org/claims/Group
.
Required attributes:
For first name, one of given_name, first_name, firstname, or givenname.
For last name, one of last_name, family_name, lastname, familyname, or surname.
*Email is retrieved from Subject.NameID where it needs to be in email format for DigiCert ONE.
The above configuration depends on the Identity Provider you are using for your organization. Refer to the provider documentation on adding claims to the ID Token for OIDC, or add attributes for SAML.