How-Tos
This section provides practical, step-by-step instructions on how to perform specific tasks or address particular scenarios.
How to propagate OIDC SP scope to match with SAML IdP attributes
To ensure a seamless user experience in scenarios where OIDC and SAML are used, it may be necessary to align attribute expectations between the two protocols. This involves creating an attribute set with attributes that match those of the scope. Follow the step-by-step procedure below for more information.
Create the attributes that will be included in both OIDC scope and SAML attributes.
See Defining custom attributesCreate a scope you want to use in OIDC:
Define it as OPENID type.
Enter a name and an optional description.
Select the attributes to be included in the scope.
Click on Save & Close.
Create an attribute set:
Enter a name
Select the attributes included in the scope.
Click on Save & Close.
Configure an OAuth Service Provider with the following properties:
Check “Propagate to attribute set”
Allow
openidscope (OAUTH scope type)Allow the scope created above.
Configure a SAML Identity Provider with the following property:
Define “Attribute Consuming Services” with the attribute set created above.
Test your configuration:
⚠️ Note that exactly one scope of OPENID type must be present in the request for propagation to work.
Make an OIDC Authorization Request from the configured Service Provider. Build the authorization request with the necessary parameters. Make sure to include scopes:
openidand the scope created and configured above.
For example:CODEhttps://authorization-server/authorize ?response_type=code &client_id=your-client-id &redirect_uri=your-redirect-uri &scope=openid myscope01TrustBuilder will use the attribute set that contains all of the attributes defined in the incoming OpenID scope and the least additional attributes.
The SAML request to the IDP containsAttributeConsumingServiceattribute with an index defined on IDP configuration.