NameID Format Transformation

This Transformation page provides users the ability to change NameID format in the same way as in ADFS 2.0. It helps configure which claim type should be used as NameID and what the NameID format should be.

The Transformation consists of the following sections.

Claim Transformation Name: Give the Transformation object a name that will make it easy to recognize when adding to the Pipelines of Authentication and Protocol connections.

Culture: Since expression may be using and comparing numbers, it is important for the system to know what culture is used in order to know whether comma or dot indicates a decimal point. Currently only two cultures are supported, Danish (comma is decimal point) and American (dot is decimal point). These should cover the needs of other cultures in regards to this issue.

Owner Organization: The organization that the Claim Transformation is added to.

Execute before loading claims from local store: By default, a claim transformation rule is executed after claims from local store are loaded for a principal. Check this option to let it execute before the load.

Conditions: It is possible to specify that the Transformation object is only applied to a Pipeline given certain conditions of the token or user is in place, include:

• The option to skip the Transformation step when the token belongs or does not belong to a user identified as existing in the Safewhere Identify repository.
• The option to specify that the Transformation object is not applied when token is processed via specific Authentication Connection or Protocol Connection.
• The option to specify regular expressions that define which tokens are to be exposed to the transformation step. Please see the Using Regular Expressions in Claim Transformation Conditions section to learn more.

NameID claim mapping: This section helps configure which claim type should be used as NameID and what the NameID format should be.

There are two drop-down lists:

• Source: Offers all free claims that exist in Identify.

  • There will be a special option called "Name Id," which means the NameID value extracted from a token received from an upstream Identity Provider will be used.

• NameID format: includes six items.

None
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient(*)
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

(*) When NameID format is Transient, Source will be disabled.

Business logic

1. When a NameID claims transformation is configured, SAML 2.0 tokens will be issued accordingly: Subject includes the <NameId> whose format is chosen from "NameId format" and value is the value of the claim type chosen from "Source".

2. When no NameID Claim Transformation is configured, then NameID—where default format is 'Unspecified' and the default value is logged in the user's identity name, for example, < NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"> admin</NameID> —will be issued.

3. When a NameID claims transformation is configured to use Transient format, the NameID value will be randomly generated, for example, <NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_6341433e-313d-4971-94f9-29a502bd7b69<NameID>

4. When a NameID claims transformation is configured to use Persistent format, it will only issue Name Id with that format, but the value is still logged in the user's identity name, for example, < NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">tmhtest<\NameID>.

In case the user wants to use Persistent Pseudonym with Persistent Name ID format, he should enable "Use Persistent Pseudonym" in the Applications connection, combined with using a NameID claims transformation, which is configured as below:

5. The error will be returned when no claim value or more than one claim value is found.