Question

Synchronize claims through SAML to LFDS

Laserfiche Security Directory Server

Updated June 5, 2020

asked on November 7, 2019

We are now setting up the Laserfiche environment for our upcoming works. We are using SAML from Azure AD for authentication. We already define extra claims (such as employee ID) from Azure AD, but we have no idea on how to synchronize these extra claims to LFDS, as creating "Other Claims" in LFDS under Identity Provider seems doesn't work.

Furthermore, it seems that other defined claim (such as E-mail) only synchronize when the user log-in to LF. Is it possible to synchronize this information even user never logged in? As we need to use the email to send alerts in our business process.

Thanks.

0 0

Replies

replied on November 11, 2019

Hi John,

To address your first question, those custom claims will be added to the token that LFDS generates when the user logs in to an end application. Those claims will not be visible in the LFDS UI.

With regards to your second question, this behavior is due to how SAML works. The SAML provider needs the user to authenticate before handing over the information it has on the user.

1 0

replied on November 11, 2019

Thanks. But how can I access those "Other Claims" defined in the identity provider?

Tried to check for the table "additional_claims" but no hope.

0 0

replied on November 12, 2019

Whenever a user signs in, you will find those claims passed in their LFDS token. We do not currently store those values anywhere.

0 0

replied on June 5, 2020

If you make a change to the claim mappings, do you have to recreate the metadata file and import it into Azure AD? We followed the whitepaper for SAML with Azure AD, but we are not seeing any of the claim data come in.

0 0

View 3 previous replies

replied on June 5, 2020

Claim mappings are not included in LFDS SP metadata. I'd suggest intercepting a SAML Response to see what claim names are being sent by AAD, and enter those claim names in your LFDS claim mapping settings.

1 0

replied on June 5, 2020 • Show version history

Here is an example of what I am seeing. In azure the claim value is 'user.surname'. The whitepaper mentioned to use that when configuring LFDS. Am I only supposed to use 'surname'?

I tried changing it to 'surname' just in case and it still does not get populated after logging in as the user.

0 0

replied on June 5, 2020

Figured it out. It has to be the attribute name as it shows in the screenshot in my previous post. The whitepaper needs to be updated point that out as it is misleading as to what needs to be used.

0 0

replied on June 5, 2020

I'll make sure we run through the whitepaper again, Microsoft has changed quite a few things and the whitepaper has needed to be updated a couple times.

1 0

replied on June 5, 2020 • Show version history

It looks like what is in the help file for Creating Claim Mappings has the wrong values as well, which adds to the confusion:

https://www.laserfiche.com/support/webhelp/Laserfiche/10/en-US/administration/Default.htm#../Subsystems/LFDS/Content/ClaimMappings.htm%3FTocPath%3DDirectory%2520Server%7CConfiguring%2520Licensing%2520Site%2520Settings%7CIdentity%2520Providers%2520%7CSAML%2520Identity%2520Provider%7CCreating%2520Claim%2520Mappings%2520%7C_____0

0 0

replied on June 5, 2020 • Show version history

We intended that to be an example because it is dependent on the SAML provider as well as configuration, but I can make sure we emphasize this more: "type the attribute names you configured in your identity provider's configuration site"

Especially considering it appears AAD may not have a way to decide the name being sent in the SAML response.

0 0

You are not allowed to follow up in this post.

Question

Question

Synchronize claims through SAML to LFDS

Replies

Sign in to reply to this post.