Which Claims should I use to map an ADFS user to GCIP

Question

We have a SaaS product on the firebase platform, one of our customer asked us to provide a SSO experience to their users. They have an old ADFS as an IdP.

I though first to use Passport-Saml but then noticed that firebase auth could use Google Cloud Identity Platform for custom SAML IdP.

It worked pretty well and we got a user logged in first try. However, the user created in firebase is pretty empty.

Here is the user from the auth creation hook:

 {
  customClaims: {
  }
  disabled: false   
  displayName: null   
  email: null   
  emailVerified: false   
  metadata: {
   creationTime: "2020-09-21T22:43:36Z"    
   lastSignInTime: "2020-09-21T22:43:36Z"    
  }
  passwordHash: null   
  passwordSalt: null   
  phoneNumber: null   
  photoURL: null   
  providerData: [
   0: {
    providerId: "saml.xxxx"     
    uid: "xxxx"     
   }
  ]
  tokensValidAfterTime: null   
  uid: "xxxx"   
 }

On the ADFS side, our customer has configured the claims to map LDAP as E-mail-Addresses -> E-mail Address SAM-Account-Name -> Name ID

If anyone has an idea on which SAML claim maps to firebase user attribute I would be very grateful, no luck in the doc.

edit I created the ServiceProvider.xml using saml tools



    
        urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

And did a bit more testing using saml test which was a great sandbox

Arthur Berthier · Accepted Answer

The answer is twofold:
The ServiceProvider.xml file needs to specify the nameid format as email address

 urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

And the claim mapping from ADFS needs to be
E-mail-Addresses -> Name ID

Which Claims should I use to map an ADFS user to GCIP

Answers (1)

Related Questions