LDAP Attribute Transformation

It is important to stress that the LDAP attributes store (aka LDAP claims transformation) is not limited to the AD Provider plug-in. It is a full, stand-alone feature on its own. That said, other plug-ins will be able to use this store for claims transformations against LDAP directories as well.


The Transformation consists of the following sections:

Claim Transformation Name: Give the Transformation object a name that will make it easy to recognize when adding to the Pipelines of Authentication and Protocol connections.

Culture: Since expression may be using and comparing numbers, it is important for the system to know what culture is used in order to know whether comma or dot indicates a decimal point. Currently only two cultures are supported, Danish (comma is decimal point) and American (dot is decimal point). These should cover the needs of other cultures in regards to this issue.

Owner Organization: The organization that the Claim Transformation is added to.

Execute before loading claims from local store: By default, a claim transformation rule is executed after claims from local store are loaded for a principal. Check this option to let it execute before the load.

Conditions: It is possible to specify that the Transformation object is only applied to a Pipeline given certain conditions of the token or user is in place, include:

LDAP-WS service name: This specifies the LDAP-WS tenant (as specified in LDAP Web Service Settings) that is used for this connection. The LDAP Claim Transformation cannot be applied without this setting.

LDAP filter: This filter is used to query LDAP for attributes. One should strive for creating a filter that always matches to a single user object. samAccountName, userPrincipalName, and email are good candidates to use for this filter when used with AD.

Example: Given that the user logins with NemID and the filter is (LDAP attribute = “globeteamCPRNummer“, Claim type = “dk:gov:saml:attribute:CprNumberIdentifier”). The claims rule will extract CPR Number claim value from claimsprincipal and query LDAP for a user whose globeteamCPRNummer equals to that value. When the filter here may match more than one user, the primary account selector can be used to pick a primary one.

Primary account selector: Specify the LDAP attribute, which is used to specify the primary account and the value to be used to filter in “LDAP attribute to specify the primary account” in case the LDAP filter above matches more than one account.

Claim Mapping: It’s used for mapping LDAP attribute values queried from LDAP to claims. For example, it can be used to map tokengroups to RoleClaimType.

Additional settings: We extend some settings when mapping the AD user attributes to Identify claim types:

  • Exclude disabled users.
  • Exclude locked-out users.
  • Exclude expired users.
  • Raise an error if more than one user is found.
  • Raise an error if no users are found.
  • Sort search results by username.

As username, append the following domain to the Windows account name when it is asked for.