Dear experts,
The Shibboleth SAML Identity Provider of our customer only provides transient identifiers, as specified in its metadata as:
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
So in the SAML token we get from the Identity Provider we get a subject assertion like e.g. <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://example.idp.com/idp/shibboleth" SPNameQualifier="saviyntsso" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >AAdzZWNyZXQ...HWwDA==</saml2:NameID>
which by definition cannot be mapped to a username in Saviynt.
However, in the other attribute assertions of that same SAML token, there are a number of attributes that we could map to a username or e-mail address of an existing Saviynt user, like
<saml2:Attribute FriendlyName="eduPersonTargetedID" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue> <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://example.idp.com/idp/shibboleth" SPNameQualifier="saviyntsso" >johndoe
</saml2:NameID> </saml2:AttributeValue> </saml2:Attribute>
or
<saml2:Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" > <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string" >johndoe@example.idp.com</saml2:AttributeValue> </saml2:Attribute>
How can we adjust our AuthenticationConfig.groovy (or metadata files) to use one of the other attribute assertions to lookup the correct Saviynt user instead of the subject assertion?