2016-05-27 15:23:34 +00:00
|
|
|
[[_protocol-mappers]]
|
2016-05-20 20:52:41 +00:00
|
|
|
|
2016-05-24 18:16:54 +00:00
|
|
|
=== OIDC Token and SAML Assertion Mappings
|
2016-04-18 15:15:25 +00:00
|
|
|
|
|
|
|
|
Applications that receive ID Tokens, Access Tokens, or SAML assertions may need or want different user metadata and roles.
|
2016-05-24 18:16:54 +00:00
|
|
|
{{book.project.name}} allows you to define what exactly is transferred.
|
2016-04-18 15:15:25 +00:00
|
|
|
You can hardcode roles, claims and custom attributes.
|
|
|
|
|
You can pull user metadata into a token or assertion.
|
|
|
|
|
You can rename roles.
|
2016-05-20 00:15:52 +00:00
|
|
|
Basically you have a lot of control of what exactly goes back to the client.
|
2016-04-18 15:15:25 +00:00
|
|
|
|
2016-05-24 18:16:54 +00:00
|
|
|
Within the Admin Console, if you go to an application you've registered, you'll see a `Mappers` tab. Here's one for
|
|
|
|
|
an OIDC based client.
|
|
|
|
|
|
|
|
|
|
.Mappers Tab
|
|
|
|
|
image:../../{{book.images}}/mappers-oidc.png[]
|
|
|
|
|
|
2016-06-03 13:12:04 +00:00
|
|
|
Each client has several built-in mappers that are created for it by default. They map things like, for example, email address to
|
|
|
|
|
a specific claim in the identity and access token. Their function should each be self explanatory from their name. There
|
|
|
|
|
are additional pre-configured mappers that are not attached to the client that you can add
|
2016-05-24 18:16:54 +00:00
|
|
|
by clicking the `Add Builtin` button.
|
|
|
|
|
|
2016-06-03 13:12:04 +00:00
|
|
|
Each mapper has common settings as well as additional ones depending on which type of mapper you are adding. Click the `Edit` button
|
2016-05-24 18:16:54 +00:00
|
|
|
next to one of the mappers in the list to get to the config screen.
|
|
|
|
|
|
|
|
|
|
.Mapper Config
|
|
|
|
|
image:../../{{book.images}}/mapper-config.png[]
|
|
|
|
|
|
2016-06-03 13:12:04 +00:00
|
|
|
The best way to learn about a config option is to hover over its tooltip. There are a few config options that
|
|
|
|
|
are common to all mappers:
|
2016-05-24 18:16:54 +00:00
|
|
|
|
|
|
|
|
Consent::
|
|
|
|
|
If your client requires consent, this mapper will be displayed on the consent screen shown to the user.
|
|
|
|
|
Consent Text::
|
|
|
|
|
If your client requires consent and the `Consent` switch is on, this is the text that will be displayed by the user.
|
|
|
|
|
The value for this text is localizable by specifying a substitution variable with `$\{var-name}}` strings. The
|
2016-06-01 02:01:13 +00:00
|
|
|
localized value is then configured within property files in your theme. See the link:{{book.developerguide.link}}[{{book.developerguide.name}}]
|
2016-05-24 18:16:54 +00:00
|
|
|
for more information on localization.
|
|
|
|
|
|
|
|
|
|
Most OIDC mappers also allow you to control where the claim gets put. You can opt to include or exclude the claim from both the
|
|
|
|
|
_id_ and _access_ tokens by fiddling with the `Add to ID token` and `Add to access token` switches.
|
|
|
|
|
|
2016-06-03 13:12:04 +00:00
|
|
|
Finally, you can also add other mapper types. If you go back to the `Mappers` tab, click the `Create` button.
|
2016-05-24 18:16:54 +00:00
|
|
|
|
|
|
|
|
.Add Mapper
|
2016-06-01 02:01:13 +00:00
|
|
|
image:../../{{book.images}}/add-mapper.png[]
|
2016-05-24 18:16:54 +00:00
|
|
|
|
|
|
|
|
Pick a `Mapper Type` from the list box. If you hover over the tooltip, you'll see a description of what that mapper type does.
|
|
|
|
|
Different config parameters will appear for different mapper types.
|
|
|
|
|
|
