Retrieve identity attributes with SAML

Retrieve attributes about user identity when authenticating to SAML IdP.

SAML Single sign-on (SSO) protocol does not provide a mechanism to request specific attributes to be returned when authenticated. However, you can have attributes returned with user details such as user full name, email, country, and so on. These user-specific attributes are optional, and you must configure them at the IdP level. As a prerequisite, refer to your IdP documentation for more information on how to map and define the list of attributes to pass to the JGAS during authentication setup.

As SAML supports identity federation, it provides a mechanism to map user-specific attributes between different IdPs - an attribute called with one name in one IdP can be called a different name in another IdP. If federation is in use, map the user-specific attributes according to other IdPs if needed.

These user-specific attributes are encoded in the SAML token returned from the IdP. Genero decodes them and puts them in environment variables prefixed with SAML_.

To retrieve the user-specific SAML attributes returned by the IdP in your Genero application, add a fgl_getenv() call for each attribute.

LET email = fgl_getenv("SAML_email")
LET fullname = fgl_getenv("SAML_fullname")
LET country = fgl_getenv("SAML_country")

The Genero application retrieves the requested identity attributes.