Ceptor - Get a Free Trial

SAML / JWT Attributes / Claims

Owned by Kim Rasmussen
Last updated: May 22, 2020 by Kim Rasmussen (Unlicensed)
1 min read

When Claims / Attributes are defined/configured in Federations, they are specified in the configuration as a JSON Array of strings

Each string has the format name=value

Example:

"attributes": [
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn=userid",
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=username",
  "http://schemas.microsoft.com/ws/2008/06/identity/claims/role=groups",
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=email1"
]

or for JWT:

"claims": [
  "sub=userid",
  "groups=groups",
  "name=username"
]


Names

Name here is the attribute name as it will be part of the ticket/token.

Values

The value has special meaning; it refers to attributes within Ceptor's session (see Sessions for more info)

Value

Meaning

null

Leave the claim out – has the same meaning as if the claim was not present at all, but can be used as a placeholder in the configuration where it can be later changed to another attribute.

userid

Users ID

username

Users name

sessionid

PP Session ID

customerid

Customer ID

isinternal

True if user is internal, false if not

agreementid

Agreement ID

authmethod

Authentication method (note for SAML tokens that name of authentication method can be mapped - see Federation - SAML / WebSSO

authlvl

Authentication level

__literal

Literal value – if it starts with two underscore characters, it is taken as a litereral – e.g. “salary=__secret” will create the claim:
{“salary”: “secret”} In the JWT token or SAML ticket.

<field name>

For JWT tokens only, If the value matches a configured field name, e.g. “address” then it will be used as a complex/nested field – e.g.

{“address”: {“country”: “DK”, “street_address”: “Kronprinsessegade 54”, “postal_code”: “1306”}}

_state_xxxxx

Refers to a state variable within the session, e.g. 

state=_state_username

picks out the value from the state variable named “username” instead of the field “username” within the session.

Anything else

Any other value is matched up against a state variable within the session.

© Ceptor ApS. All Rights Reserved.