AAAI-13

Do you allow the customer to specify attribute mappings for any needed information beyond a user identifier? (e.g., Reference eduPerson, ePPA/ePPN/ePE)

Explanation

This question is asking whether your service allows customers to customize how user attributes are mapped from their identity provider (IdP) to your service during authentication. In federated identity systems (like SAML or OAuth/OIDC), when a user logs in, the identity provider sends certain attributes about the user to your service. At minimum, this includes a unique identifier, but often organizations need to send additional attributes like name, email, department, role, etc. 'Attribute mappings' refers to the ability to configure how these attributes from the customer's identity system map to user attributes in your system. For example, mapping 'mail' from their system to 'email' in yours. The reference to 'eduPerson' and related schemas is particularly relevant in higher education contexts. These are standardized attribute schemas used by educational institutions that define specific user attributes like eduPersonPrincipalName (ePPN), eduPersonAffiliation (ePA), etc. This question is asked in security assessments because: 1. It determines flexibility for integration with the customer's identity management systems 2. It affects how access control can be implemented based on user attributes 3. It impacts privacy and data minimization (sending only needed attributes) 4. It's important for compliance in certain sectors like education When answering, you should clearly state whether your system supports custom attribute mappings, which specific standards you support (if any), and how customers can configure these mappings.

Example Responses

Example Response 1

Yes, our platform provides comprehensive support for custom attribute mappings Customers can configure mappings for any attributes provided by their identity provider beyond the basic user identifier We support standard schemas including eduPerson attributes (eduPersonPrincipalName, eduPersonAffiliation, etc.) as well as custom attributes Administrators can configure these mappings through our SSO configuration interface or via our API This allows institutions to map attributes like department, role, title, and organizational unit to the corresponding fields in our system, enabling fine-grained access control and personalization.

Example Response 2

Yes, we support flexible attribute mapping capabilities through our Identity Provider Configuration Console Customers can map standard attributes (like name, email) as well as custom attributes specific to their organization For educational institutions, we explicitly support eduPerson schema attributes including ePPN, ePE, and ePAffiliation Our system allows for both one-to-one mappings (e.g., eduPersonPrincipalName → username) and transformation rules (e.g., combining firstName+lastName attributes into a displayName field) These mappings can be configured during initial SSO setup and modified at any time by authorized administrators.

Example Response 3

No, our current implementation only supports basic attribute mapping We require a unique user identifier (typically email address) and can optionally consume first name and last name attributes if provided by the identity provider We do not currently support mapping of extended attributes like those in the eduPerson schema or custom organizational attributes While we recognize this limitation may impact some integration scenarios, we've found that most of our customers' needs are met with our current implementation We have plans to expand our attribute mapping capabilities in our next major release scheduled for Q3 of this year.

Context

Tab: Product
Category: Authentication, Authorization, and Account Management