SAML Attribute information is needed for role mapping. If the Identity Provider already provides InCommon eduPerson Protocol-Level Attribute Names then the well-known attribute names for first name, last name, user name and email information are automatically used. Otherwise Swank will need SAML Protocol-Level Attribute Names that contain information for:
Any user that cannot have their role determined is not allowed to log into Streaming Server. Roles can be determined by an exact match of text to a SAML Protocol-Level Attribute Name and a partial match to an attribute value. Here's an example using eduPersonScopedAffiliation or eduPersonEntitlement, but you can match to any SAML Protocol-Level Attribute Name in the same way for your Streaming Server portal.
UUser Role | Partial matching text | FriendlyName | Protocol-Level Attribute Name | Attribute Value |
Basic User Role | employee@ | eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | staff@school.edu; |
Instructor User Role | Microscope | eduPersonEntitlement | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 | urn:mace:school.edu:confocalMicroscope |
No User Role (no access) | Notfound | eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | staff@school.edu; |
Table 1: Attributes for user roles
When a user is being authenticated as a Basic or User role, it is not necessary to send the SAML attributes identifying their first name, last name, user name, or email address.
When a user is being authenticated as the Instructor or Admin role, it is required that the Identity Provider sends a SAML attribute for email address (urn:oid:0.9.2342.19200300.100.1.3) and a SAML attribute for at least one of first name (urn:oid:2.5.4.42), last name (urn:oid:2.5.4.4), or user name (urn:oid:2.16.840.1.113730.3.1.241).
Attribute Description | Friendly Name | Protocol-Level Attribute Name | Attribute Value |
First name | givenName | urn:oid:2.5.4.42 | Rick |
Last name | Sn | urn:oid:2.5.4.4 | Sanchez |
User name (displayed in upper right corner) | displayName (uses sn + givenName if missing displayName) | urn:oid:2.16.840.1.113730.3.1.241 | Rick Sanchez |
urn:oid:0.9.2342.19200300.100.1.3 | rsanchez@school.edu |
Table 2: Attribute examples
If the Identity Provider uses Protocol-Level Attribute Names other than those listed above (givenName = urn:oid:2.5.4.42, etc.), the Streaming Server can work with it. Just provide your account manager with a list of the Protocol-Level Attribute Names that your Identity Provider uses to describe first name, last name, user name, and email.