How to pass SAML IDP attributes to Tanzu Application Service for VMs Single Sign On
search cancel

How to pass SAML IDP attributes to Tanzu Application Service for VMs Single Sign On

book

Article ID: 298195

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

This article covers how to pass SAML IDP attributes to Tanzu Application Service for VMs (TAS for VMs) Single Sign On.

Environment

Product Version: 2.10

Resolution

1. Using your browser's Developer Tools, capture the SAMLResponse from the login. Decode the SAMLResponse and locate the SAML Attributes. This also confirms the actual IDP attributes returned by the Identity Provider (IDP).
 

In the sample below, we configure and map the attributes, "email" and "given_name".

<saml:AttributeStatement>
     <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
       <saml:AttributeValue xsi:type="xs:string">admin1</saml:AttributeValue></saml:Attribute>
     
     <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
       <saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue></saml:Attribute>

     <saml:Attribute Name="given_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
       <saml:AttributeValue xsi:type="xs:string">admin1</saml:AttributeValue></saml:Attribute>
    
     <saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xsi:type="xs:string">opsmanadmin</saml:AttributeValue>
        <saml:AttributeValue xsi:type="xs:string">pasadmin</saml:AttributeValue>
        <saml:AttributeValue xsi:type="xs:string">pksadmin</saml:AttributeValue>
        <saml:AttributeValue xsi:type="xs:string">ssouser</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>


2. Bring up the TAS SSO Operator dashboard through https://p-identity.<sys-domain>.

3. Select the "Plan". Then "Identity Providers" tab for the "Plan".

4. Select the identity provider and locate the section "Custom Attributes" (towards the end of the page).

5. In this example, we map the following attributes:
 

IDP Attribute SSO Attribute
given_name family_name
email myemail
email-name** othervalue


Note: ** = does not exist.

6. Enter the mapping as shown. Make sure "Persist Custom Attributes" is checked. Then click "Save".

Note: IDP Attribute "email-name" does not exists and will not be mapped. It was added to show what happens if an IDP attribute is not on the SAMLResponse.


7. Deploying or running the Authcode-Identity-Sample, the /info page shows the user_attributes getting passed to SSO as shown:




Note: "othervalue" is not showing since IDP attribute "email-name" does not exists.

 

Powered by Wolken Software