Claim transformation – Transform some claims into KOMBIT OIOSAML Basic Privilege Profile

Version: 4.3++

Based on the claims on the user's claim pipeline, we will transform them into the OIO Basic Privilege Profile.

How to do:

  • On the claim transformation list, we create the external claim transformation like below:

2017-10-10_9-28-12

+ On Transformation type name: we choose "Safewhere.Customization.BasicPrivilegeProfile.BasicPrivilegeProfileClaimsTransformation, Safewhere.Customization"

+At the Additional settings, we add the following key:

+ urn:claim:type:cvr:  we need to specify the claim type which is used as the CVR claim type for this key value. (This key is required)

+ the key which starts with"urn:claim:type:privilege", e.g "urn:claim:type:privilege": we need to specify the regex expression to get the matching claim types as its privilege. (This key is required)

+ the key which starts with"urn:claim:type:constraint", e.g "urn:claim:type:constraint": we need to specify the regex expression to get the matching claim types as its constraint. (This key is optional)

  • Apply this transformation to SP or IdP connection on the connection list
  • Do the login flow with the SP or IdP. In case the login user has the CVR claim type and its claims matching with the BPP requirement, he will have the claim type "dk:gov:saml:attribute:Privileges_intermediate" with its base64 encoded value. Here is the sample for its decoded value:

bbp claim value

Q&A:

  • Q: I want to add multi regex expression for collecting the privileges. How can I do  that?
  • A: You can add multi keys whose claim which starts with "urn:claim:type:privilege", e.g "urn:claim:type:privilege", e.g you want to add 2 regexp like below: "^(?i)urn:oid:.*$" and "^(?i)urn:test:.*$", you can create 2 keys: "urn:claim:type:privilege:list1" and "urn:claim:type:privilege:list2" for containing them.
  • Q: In case the claim types on list 1 and list 2 are duplicated, does it throw any exception?
  • A: No, they don't. The privilege list is the combination of the 2 lists
  • Q: In case I leave the key value on "urn:claim:type:privilege" empty, what will happen?
  • A: It will take all claims on the user's claim pipeline as its privileges on the  privilege list
  • Q: In case the logged user doesn't have any claim matching with the regexp on the "urn:claim:type:privilege", what will happen?
  • A: He will get the error message: "There is no privilege claims found." and the login flow stopped.
  • Q: I can't find the transformation type: "Safewhere.Customization.BasicPrivilegeProfile.BasicPrivilegeProfileClaimsTransformation, Safewhere.Customization.BasicPrivilegeProfile" on the external transformation, what can I do?
  • A: Currently, we have 2 versions for this:
    • If you are using the Identify version 5.0 which's build before 2106De05, you need to copy this DLL file into the Bin folder of your tenant Runtime. Then have the IIS reset, it will display on your external transformation.
    • If you are using the Identify version 4.2 or Identify version 4.3 which's build before 2106Dec05, you need to copy this DLL file into the Bin folder of your tenant Runtime. Then have the IIS reset, it will display on your external transformation.