SAML Response Requirements
In response to a SAML authentication request from Security Cloud Sign On, your identity provider sends a SAML response. If the user authenticated successfully, the response includes a SAML assertion that contains the NameID attribute and other user attributes. The SAML response must meet specific criteria, as explained below.
SHA-256-signed responses
The SAML assertion in the response from your identity provider must contain the following attribute names. These names must be mapped to the corresponding attributes of the identity provider’s user profile. IdP user profile attribute names vary by vendor.
SAML assertion attributes
The SAML assertion in the response from your identity provider must contain the following attribute names. These names must be mapped to the corresponding attributes of the IdP’s user profile. IdP user profile attribute names vary by vendor.
|
SAML assertion attribute name |
Identity provider user attribute |
|---|---|
|
firstName |
User's first or given name. |
|
lastName |
User's last name or surname. |
|
|
User's email. This must match the value of the <NameID> element in the SAML response (see below). |
|
SamlIDPUserGroups or SamlADUserGroupIds |
Group memberships of users |
<NameID> element format
The value of the <NameID> element in the SAML response must be a valid email address and match the value of the assertion’s email attribute. The <NameID> element's format attribute must be set to one of the following:
-
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress -
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Example SAML assertion
The following XML is an example of a SAML response from an identity provider to the Security Cloud Sign On ACL URL. Note that jsmith@example.com is the value of the <NameID> element and the email SAML response attribute.
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="id9538389495975029849262425" IssueInstant="2023-08-02T01:13:04.861Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"/>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">jsmith@example.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2023-08-02T01:18:05.160Z" Recipient="https://sso.security.cisco.com/sso/saml2/0oa1rs8y79aeweVg80h8"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2023-08-02T01:08:05.160Z" NotOnOrAfter="2023-08-02T01:18:05.160Z">
<saml2:AudienceRestriction>
<saml2:Audience>https://www.okta.com/saml2/service-provider/12345678890</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2023-08-02T01:13:04.861Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Joe
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Smith
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jsmith@example.com
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
The attributes SamlIDPUserGroups and SamlADUserGroupIds are required to map an identity provider group with a group in an organization.
Example SAML assertion for identity provider group mapping
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
…
<saml2:Attribute Name="SamlIDPUserGroups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">IdP_Group_Mapping_1</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">IdP_Group_Mapping_2</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">452dce15-05fa-4f7c-aa60-30dcefae7433</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="SamlADUserGroupIds" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">IdP_Group_Mapping_1</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">IdP_Group_Mapping_2</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">452dce15-05fa-4f7c-aa60-30dcefae7433</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>