Profile Mappers - Fluid Topics - 3.10

Fluid Topics Configuration and Administration Guide

Category
Reference Guides
Audience
public
Version
3.10

When a user logs in via a SAML authentication mechanism for the first time, a Fluid Topics account is created. In order to create this account, Fluid Topics attempts to retrieve the following information:

  • ID - mandatory, must be stable.
  • Display name - mandatory, the user will be prompted to provide this information at time of first login if necessary.
  • Email - mandatory, the user will be prompted to provide this information at time of first login if necessary.
  • Groups - optional.
  • Roles - optional.

Fluid Topics tries to automatically detect this information in the response sent by the SAML provider when the user logs in. SAML responses embed two types of user information:

  • the NameID (the user identifier). Fluid Topics requires it to be present.
  • the AttributeStatement that contains a set of attributes. A SAML attribute is composed of a name and a set of string values.

Sometimes, the information retrieved is incomplete. In this case, an administrator must define mappings in the Profile mappers section of the New realm drawer. Mappings make it possible to define equivalents between the properties and attributes of a Fluid Topics user profile and those defined on the SAML provider's side. They also make it possible for the user to log in via a SAML authentication mechanism without having to enter their name and email address.



- The Profile mappers section is not immediately displayed in the New realm drawer. It appears after importing an Identity provider metadata XML file.

- The Profile mappers section is read-only. In order to modify one or more mappings, it is necessary to open the configuration assistant by selecting the Run configuration assistant button.

- It is necessary to have the credentials of a SAML realm user on hand in order to run the configuration assistant.

- If the configuration is incomplete or invalid, Fluid Topics displays an HTTP 500 error when the administrator attempts to run the configuration assistant.

If the SAML provider is Keycloak, additional configuration in the Keycloak UI is required to ensure that the condition of a stable ID is met.

By examining the list of available profile attributes in the Verify resolution results section of the Profile mappers assistant drawer, administrators can check that nothing is missing. If an attribute is missing, it is possible to define a mapping based on a property or a Javascript function as follows:

  • If a property in the SAML response must define that property in Fluid Topics, it is necessary to define a mapping based on a property.
  • If mapping a property in the SAML response to a property in Fluid Topics is not possible, it is necessary define a mapping based on a JavaScript function.

Once the information retrieved by Fluid Topics is accurately mapped to the information mobilized by the SAML provider, the configuration of the authorization process is complete.