Attribute mappings¶
This feature allows you to define how user attributes returned by the external IdP are mapped to person attributes managed by Onegini IdP. The attribute mappings functionality is supported by multiple identity provider types like LDAP, SAML and OAuth2 based socials (ex. Facebook or LinkedIn). This guide will walk you through defining attribute mappings for your Identity Provider instance.
The attributes mapping is used in tree scenarios:
- Sign-up with external IdP - when user unknown* to Onegini IdP logs in for the first time. Depending on configuration he might be asked for additional pieces of information like email, name, address etc. Those fields are filled in sign-up form and then are mapped to profile attribute.
- Automatic sign-up - when user unknown to Onegini IdP logs in for the first time and Just-in-time external IdP sign-up enabled* feature is enabled. In this flow the attribute mappings functionality is used to create the person and feed it with data provided by the external IdP.
- Login with external IdP - when user known to Onegini IdP logs in with an external IdP. Since user data may change in the external IdP, for example his mobile number may be updated, the Onegini IdP synchronizes it's state with the one provided by the external IdP. During flow the attribute mappings is used for keeping user's data up-to-date on the Onegini IdP end.
*The user is known to the Onegini IdP when his account is created and linked with the external IdP.
Prerequisites¶
To successfully complete this topic guide you need to ensure following prerequisites:
- Onegini IdP instance must to be running, for the sake of this guide we assume it's available under http://idp-core.dev.onegini.me address
- External IdP (Identity Provider of either SAML, LDAP, Facebook or LinkedIn type) must be running externally from Onegini IdP
Configuration¶
The attribute mappings can be defined on the Identity Provider configuration level, but please note that not all IdP types support attribute mappings. To configure visit the admin console page and navigate to your Identity Provider details page (Config > Identity Providers).
The configuration form allows you to define mappings for all supported basic user attributes as well as custom attributes. Provide the attribute name returned by specific IdP in correct input in order to define a mapping.
Attributes on sign-up page¶
Configured mapped attributes are present on sign-up page. Administrator can customise whether those fields should be editable or not. By default they are non-editable. In order to make it possible for user to edit "is editable" checkbox should be marked. Please note that some fields (like e-mail address or mobile phone number) might be required depending on other application settings. To make it possible for end-user to submit the sign-up form please make sure that identity provider always provides mapped attributes and they are in proper format, especially when they're not editable, because otherwise user might not be able to submit form and complete registration process.
To define a correct mapping for a particular identity provider please refer to it's documentation. Below is the list of some of it.
iDIN¶
For the latest list of available attributes please refer to iDIN documentation:
- English: https://betaalvereniging.atlassian.net/wiki/spaces/IIDIFMD/pages/588284049/iDIN+Merchant+Implemention+Guide+EN
- Dutch: https://betaalvereniging.atlassian.net/wiki/spaces/IIDIFMD/pages/588579051/iDIN+Acceptant+Implementatie+Gids+NL
List of the attributes supported at the moment by iDIN:
urn:nl:bvn:bankid:1.0:consumer.gender
urn:nl:bvn:bankid:1.0:consumer.legallastname
urn:nl:bvn:bankid:1.0:consumer.preflastname
urn:nl:bvn:bankid:1.0:consumer.partnerlastname
urn:nl:bvn:bankid:1.0:consumer.legallastnameprefix
urn:nl:bvn:bankid:1.0:consumer.preflastnameprefix
urn:nl:bvn:bankid:1.0:consumer.initials
urn:nl:bvn:bankid:1.0:consumer.dateofbirth
urn:nl:bvn:bankid:1.0:consumer.street
urn:nl:bvn:bankid:1.0:consumer.houseno
urn:nl:bvn:bankid:1.0:consumer.housenosuf
urn:nl:bvn:bankid:1.0:consumer.addressextra
urn:nl:bvn:bankid:1.0:consumer.postalcode
urn:nl:bvn:bankid:1.0:consumer.city
urn:nl:bvn:bankid:1.0:consumer.country
urn:nl:bvn:bankid:1.0:consumer.deprecatedbin
urn:nl:bvn:bankid:1.0:consumer.is18orolder
urn:nl:bvn:bankid:1.0:consumer.preferedlastname
urn:nl:bvn:bankid:1.0:consumer.partnerlastname
urn:nl:bvn:bankid:1.0:consumer.preferedlastnameprefix
urn:nl:bvn:bankid:1.0:consumer.partnerlastnameprefix
urn:nl:bvn:bankid:1.0:consumer.telephone
urn:nl:bvn:bankid:1.0:consumer.email
urn:nl:bvn:bankid:1.0:consumer.intaddressline1
urn:nl:bvn:bankid:1.0:consumer.intaddressline2
urn:nl:bvn:bankid:1.0:consumer.intaddressline3