LDAP attribute claim transformation

It is important to stress that the LDAP attributes store (aka LDAP attribute claims transformation) is not limited to the LDAP Identity provider connector. It is a full, stand-alone feature on its own. That said, other plug-ins will be able to use this store for claims transformations against LDAP directories as well.

LDAP attribute claim transformation

The Transformation consists of the following sections:

  • LDAPWS service name: This specifies the LDAP-WS tenant (as specified in LDAP Web Service Settings) that is used for this connection. The LDAP Claim Transformation cannot be applied without this setting.
  • LDAP attribute to filter for user object: This filter is used to query LDAP for attributes. One should strive for creating a filter that always matches to a single user object. samAccountName, userPrincipalName, and email are good candidates to use for this filter when used with AD.
  • Claim type to extract value from claims principal to match against the LDAP attribute: speicfied claim which its value will be used for the above setting. Example: Given that the user logins with NemID and the filter is (LDAP attribute = "globeteamCPRNummer", Claim type = "dk:gov:saml:attribute:CprNumberIdentifier"). The claims rule will extract CPR Number claim value from claimsprincipal and query LDAP for a user whose globeteamCPRNummer equals to that value. When the filter here may match more than one user, the primary account selector can be used to pick a primary one.
  • LDAP attribute to specify the primary account: Specifies the LDAP attribute, which is used to specify the primary account and the value to be used to filter if the LDAP filter above matches more than one account.
  • Primary account attribute value: The value to be used to filter in "LDAP attribute to specify the primary account"
  • Claim Mapping (LDAP attribute - Claim type): specifies claims which are used for mapping LDAP attribute values queried from LDAP. For example, it can be used to map tokengroups to RoleClaimType.
  • Additional settings: We extend some settings when mapping the AD user attributes to Identify claim types:
    • Exclude disabled users.
    • Exclude locked-out users.
    • Exclude expired users.
    • Raise an error if more than one user is found.
    • Raise an error if no users are found.
    • Sort search results by username.
    • As username, append the following domain to the Windows account name when it is asked for.