Skip to main content

IdP attribute mapping

Any user information stored in the Identity Provider will be relayed to DigiCert ONE through Open ID Connect (OIDC) or SAML during the user login process. For OIDC, all ID Token claims are relayed, and for SAML, all SAML attributes are relayed. This user information can be later used to restrict user access per certificate profile and use it as a certificate field source. For more details, see Create a DigiCert ONE Login profile.

There are required claims for OIDC and attributes for SAML that need to be relayed for the user creation process to succeed, so ensure that those values are configured in your Identity Provider. The configuration depends on the Identity Provider you are using for your organization. Refer to the provider documentation on how to add claims to the ID Token for OIDC, or add attributes for SAML.

  • OIDC - ID Token claims

    Sample ID Token:

    {
      "sub": "00abcdflw9aF77gpMzx7",
      "name": "John Doe",
      "first_name": "John",
      "last_name": "Doe",
      "email": "john.doe@digicert.com",
      "iss": "https://dev-261562.okta.com/oauth2/default",
      "aud": "0abcdfnf0cqdZb0Hy4x7",
      "iat": 1711073571,
      "exp": 1711077171,
      "preferred_username": "john.doe@digicert.com",
      "auth_time": 1711073568,
      "groups": [
        "Everyone",
        "Support Group"
      ]
    }

    * The value of the claim can be either a single string or a list of strings. For the above sample, Everyone and Support Group, both are stored under groups.

    Required claims:

    • email

    • For first name, one of given_name, first_name, firstname, or givenname.

    • For last name, one of last_name, family_name, lastname, familyname, or surname.

  • SAML - SAML attributes

    Sample SAML assertion:

    <Subject>
      <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user1@test.digicert.com</NameID>
      ...
    </Subject>
    ... 
    <AttributeStatement>
      <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
        <AttributeValue>user1@test.digicert.com</AttributeValue>
      </Attribute>
      <Attribute Name="firstName">
        <AttributeValue>Demo</AttributeValue>
      </Attribute>
      <Attribute Name="lastName">
        <AttributeValue>User1</AttributeValue>
      </Attribute>
      <Attribute Name="http://schemas.xmlsoap.org/claims/Group">
        <AttributeValue>CN=DigiCert Test Users,CN=Users,DC=test,DC=digicert,DC=com</AttributeValue>
        <AttributeValue>CN=Remote Management Users,CN=Builtin,DC=test,DC=digicert,DC=com</AttributeValue>
        <AttributeValue>CN=Remote Desktop Users,CN=Builtin,DC=test,DC=digicert,DC=com</AttributeValue>
      </Attribute>
    </AttributeStatement>
    ...

    * The value of the information can be either a single string or a list of strings.

    For the above sample, three attribute values are stored under http://schemas.xmlsoap.org/claims/Group.

Required attributes:

  • For first name, one of given_name, first_name, firstname, or givenname.

  • For last name, one of last_name, family_name, lastname, familyname, or surname.

*Email is retrieved from Subject.NameID where it needs to be in email format for DigiCert ONE.

The above configuration depends on the Identity Provider you are using for your organization. Refer to the provider documentation on adding claims to the ID Token for OIDC, or add attributes for SAML.