Page Comparison

...

Expand

title	Create Identity Provider (Claim) Mappings

Create Identity Provider (Claim) Mappings

You can configure claim mappings and group mappings for your external Identity Provider.

Include Page

	TERMS:Identity Provider
	TERMS:Identity Provider

Open Settings > IdP Settings
Add claim mappings
1. Provide the claim name from your AD which holds the user attributes e.g. company, telephone number. Ensure the correct spelling!
2. Map to Picturepark user attributes
Add group mappings
1. Provide the claim name (issued claims) from your AD which holds your user group assignments e.g. Groups. Ensure the correct spelling!
2. Define a Fallback user role. The fallback user role of the IdP will only be used if none of the group mappings find a matching role or the default user role is not defined for the Picturepark. This cannot be Super Admins.
3. Map Group names from your AD to user roles in Picturepark.

Note
Without group mappings, your users will be able to login to Picturepark but will have only the default role of your Picturepark assigned (if there is any configured). You cannot add roles to federated users in Picturepark, but only through group mappings.

Warning
There is a Microsoft limitation for ADFS 2.0 which prevents using Domain Local Groups in a claim. Choose global or universal groups. More details on this limitation: https://social.technet.microsoft.com/wiki/contents/articles/13829.ad-fs-2-0-domain-local-groups-in-a-claim.aspx

The following attributes are mapped automatically in CP (if not overridden by a claim mapping).

User attribute	Claim types (first to have a value wins)
Email	email, that will be used as a username in Picturepark (mandatory).
sub	User identifier of the user within the IdP (mandatory; provided by ADFS in basic configuration).
First name	given_name
Last name	family_name
Language code	Default language coming from IDS Default customer language, only acceptable values are en and de. locale

...