Subject mapping

When configuring an Application (Service Provider) or an Identity Provider in TrustBuilder, you need to define the subject. It is the unique identifier used to match a user between TrustBuilder and the application. It allows Trustbuilder to identify which user account it corresponds to when a user authenticates through an application (SP or IdP).

You can choose one of the following subject types depending on how your users are identified:

• email → the user is identified by their email address.

• userid → the user is identified by their unique TrustBuilder user ID.

• username → the user is identified by their username attribute.

• predefined → the subject should be manually configured via API calls. This is useful when none of the other identifiers match your setup. It allows to define the exact value that TrustBuilder will send to or receive from the IdP or SP for a user account.

Match Identity Provider (IdP) subjects to users

When users authenticate through an external IdP, TrustBuilder must know which user corresponds to the subject received from that IdP.

To register this mapping, use the following API call:

POST https://api.trustbuilder.io/api/v1/sso/authentication-server-subjects

Example:

{
  "authentication_server_id": "fb-login",
  "subject": "9a8b7c6d5e4f4a3b9c1dffeeddccbbaa",
  "user_id": "7f3a5629-1bb9-4deb-bba4-eb593c4fd4e2"
}

Match users to Applications (SP) subjects

When TrustBuilder authenticates a user for an Application (SP), it must send a subject value that the SP will recognize as the user’s identifier.

To define this mapping, use:

POST https://api.trustbuilder.io/api/v1/sso/application-subjects

Example:

{
  "application_id": "iamshowcase",
  "subject": "d2a1f7c46b8e4f2a9c5b1a2b3c4d5e6f",
  "user_id": "7f3a5629-1bb9-4deb-bba4-eb593c4fd4e2"
}