How to Configure SAML 2.0 Template Application

Instructions

Attribute Grammar

The attribute statement field can be configured to map user values to SAML attributes. The SAMLResponse will be sent to the configured SP (Service Provider) endpoint.

The format for the configuration is

AttributeName|Value
AttributeName|Value|Namespace

If no namespace is specified the default namespace used is:
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

Each pair or triplet makes up an attribute configuration. The attribute values a delimited with "|". The system can be configured to have multiple attribute pairs (triplets) each one is delimited by a ",".

The AttributeValue can be either a fixed static value or a dynamic value. Dynamic values follow the current format ${user.'fieldName'}

Supported Dynamic Values

Base User Attributes ⌄

${user.firstName} Sign into the Okta Admin dashboard to generate this value.
${user.lastName} Sign into the Okta Admin dashboard to generate this value.
${user.email} Sign into the Okta Admin dashboard to generate this value.
${user.userName} Default userName format

The userName value used is the configured userName format for the Template SAML App

To access Active Directory or LDAP user attribute values values, the following Format is used. (Note: the instances ID has to be used to identify what application instance that the users attributes are mapped from)

AttributeName|instanceId:fieldMapping
AttributeName|instanceId:fieldMapping|Namespace
instanceId:${user.property}

Application Specific Attributes

LDAP ⌄

${user.userName} Sign into the Okta Admin dashboard to generate this value.
LDAP default value for userName is the UID
${user.dn} Sign into the Okta Admin dashboard to generate this value.
${user.title} Sign into the Okta Admin dashboard to generate this value.
${user.managerDn} Sign into the Okta Admin dashboard to generate this value.
${user.countryCode} Sign into the Okta Admin dashboard to generate this value.
${user.streetAddress} Sign into the Okta Admin dashboard to generate this value.
${user.city} Sign into the Okta Admin dashboard to generate this value.
${user.state} Sign into the Okta Admin dashboard to generate this value.
${user.postalCode} Sign into the Okta Admin dashboard to generate this value.
${user.deliveryOffice} Sign into the Okta Admin dashboard to generate this value.
${user.departmentNumber} Sign into the Okta Admin dashboard to generate this value.
${user.telephoneNumber} Sign into the Okta Admin dashboard to generate this value.
${user.managerUpn} Sign into the Okta Admin dashboard to generate this value.
${user.organizationalUnit} Sign into the Okta Admin dashboard to generate this value.
${user.preferredLanguage} Sign into the Okta Admin dashboard to generate this value.
${user.postalAddress} Sign into the Okta Admin dashboard to generate this value.
${user.extraField1Attr} Sign into the Okta Admin dashboard to generate this value.
${user.extraField2Attr} Sign into the Okta Admin dashboard to generate this value.
${user.extraField3Attr} Sign into the Okta Admin dashboard to generate this value.
${user.extraField4Attr} Sign into the Okta Admin dashboard to generate this value.

Active Directory ⌄

${user.userName} Sign into the Okta Admin dashboard to generate this value.
Default field mapped to userName from Active Directory is the UPN (User Principal Name)
${user.samAccountName} Sign into the Okta Admin dashboard to generate this value.
${user.department} Sign into the Okta Admin dashboard to generate this value.
${user.primaryGroupId} Sign into the Okta Admin dashboard to generate this value.

Workday ⌄

${user.accountType} Sign into the Okta Admin dashboard to generate this value.
${user.managerId} Sign into the Okta Admin dashboard to generate this value.
${user.managerUserName} Sign into the Okta Admin dashboard to generate this value.
${user.businessTitle} Sign into the Okta Admin dashboard to generate this value.
${user.countryCode} Sign into the Okta Admin dashboard to generate this value.
${user.streetAddress} Sign into the Okta Admin dashboard to generate this value.
${user.city} Sign into the Okta Admin dashboard to generate this value.
${user.state} Sign into the Okta Admin dashboard to generate this value.
${user.postalCode} Sign into the Okta Admin dashboard to generate this value.
${user.supervisoryOrg} Sign into the Okta Admin dashboard to generate this value.
${user.businessUnit} Sign into the Okta Admin dashboard to generate this value.
${user.workPhone} Sign into the Okta Admin dashboard to generate this value.
${user.location} Sign into the Okta Admin dashboard to generate this value.

Examples

Example Simple:

email|${user.email},firstName|${user.firstName},role|ENG

Example Using a namespace:

role|ENG|urn:oasis:names:tc:SAML:2.0:attrname-format:uri, email|${user.email}|urn:oasis:names:tc:SAML:2.0:attrname-format:uri

Example Using Active Directory attributes:

dn|12341234:${user.dn}|urn:oasis:names:tc:SAML:2.0:attrname-format:uri, samAccountName|12341234:${user.samAccountName}|urn:oasis:names:tc:SAML:2.0:attrname-format:uri

Configuration Data

The following information is necessary for SP Endpoint Configuration.

External key:
Sign into the Okta Admin dashboard to generate this value.
Public certificate: Sign into the Okta Admin dashboard to generate this value.
Redirect Login URL
Sign into the Okta Admin dashboard to generate this value.
Provide the following IDP metadata to your SP provider.

[Sign into the Okta Admin dashboard to generate this value.]
Sign into the Okta Admin dashboard to generate this value. Select All

More Help

Attribute Format:

AttributeName|Value
AttributeName|Value|Namespace
AttributeName|${user.field}
AttributeName|AppInstance:${user.instanceField}