Topics on this page
Attribute claims guide
This page applies to new accounts created on or after August 4, 2021, and to accounts upgraded to the new sign in system.
How these are used in Cloud One
In general, when setting up SAML attributes and claims, people set the NameID
set to a specific value.
Cloud One does not use NameID
; it maps only optional claims for Name
, Locale
, and Timezone
.
However NameID
must be present otherwise single sign-on will not work. This is important in configurations such as ADFS
where you need to manually specify it's value opposed to other services that automatically configure NameID
for you.
When you navigate to My Profile
; you are not considered to be inside an account. Therefore you should expect to see a blank e-mail since it is not used alongside your other mappings.
Default values
If Name
, Locale
or Timezone
are either not mapped during your identity provider creation or not present/valid in your identity provider's directory then these optional claims will use the following default values:
- Name: Will be
User
- Locale: Will be
English
unless your browser language is set toJapanese
. Note that if a language has previously been selected from Cloud One's language picker then it will use that cached value instead. - Timezone: Will default to the timezone value that your browser determines you are in.
Mapping to locale and timezone
Locales currently supported are en
(English) and ja
(Japanese).
Timezone should match the
database name,
For example: America/Toronto
.
Customizing claims from the service provider
Most service providers provide the ability to customize claims.
- In Azure AD, this is called Transformations.
- In Okta, this is done with their Expression Language.
Note that they also have different user references. The most common will be the user profile (user.
) but data can also come from the application user profile (appuser.
) or IdP user profile (idpuser.
). - In Active Directory Federation Services (ADFS), you can do this when creating a Custom Rule.
- In Google you can create Custom Attributes for user profiles. However there is no expression support at this time.
Here are some examples of why you'd want to do this:
- Add new name/timezone/locale fields to user profiles and use those to map to if the identity providers user directory is insufficient or if you don't want to use the default values from Cloud One.
- Combine first and last name and map that to
Name
in Cloud One. - Trim the
preferredLanguage
from a Microsoft product which is in the format ofen-US
to just returnen
and map that toLocale
.