Required SAML Attributes for Just-In-Time Provisioning
The Magentrix SSO allows Just-In-Time Provisioning via SAML. The following SAML Attributes are required to be mapped in your Identity Provider for proper Just-In-Time Provisioning function.
Note that when creating SAML assertions, the prefix ‘User.’ must used for all fields passed in the SAML assertion. For example, if Username is the field being asserted, it must be entered as “User.Username”. See the following:
<saml:Attribute Name="User.Username"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue
xsi:type="xs:anyType">testuser@123.org</saml:AttributeValue>
</saml:Attribute>
Attribute Fields Accepted by Magentrix SSO
| Field Name | Required | Comments |
|---|
| AccountId | | Only applicable to community users |
| Alias | | |
| City | | |
| ContactId | | Only applicable to community users |
| Country | | |
| Currency | | Currency culture value such as: en-US |
| CurrencyIsoCode | | Two-Letter ISO Code
(Only required when multi-currency is enabled) |
| Description | | |
| Email | Yes | |
| Firstname | Yes | |
| IsActive | | |
| Language | | |
| Lastname | Yes | |
| Locale | | eg: en-US or es-MX |
| ManagerId | | Only applicable to employee users |
| MobilePhone | | |
| Organization | | |
| Phone | | |
| PostalCode | | |
| RoleId | Yes | |
| State | | |
| Street | | |
| Timezone | | Based on Microsoft list of time zone values (Name of time zone) |
| Title | | |
| Username | Yes | Usually email address is used as the username |
Magentrix has three user role types: Employee users, Partner users, and Customer users. This is determined by the Role ID. If this assertion is not given, Magentrix will create new users with the default user role chosen in Company Preferences > Application Self-Registration Settings or Custom Community settings (whichever used).
Creating Community Users (Customers or Partners) requires an Account ID and a Contact ID.
The “User.AccountId” attribute can be provided as ID value or the Account Record Name. If the corresponding record in the CRM is found, then the community user will be associated with the Account. If the Account ID assertion is not provided, users will be automatically be given the bucket account ID from Company Preferences > Application Self-Registration Settings (if provided).
The “User.ContactId” attribute can be provided to match the contact associated with community user. You can provide the Contact ID value or email address to match the contact record in the CRM. If the Contact ID assertion is not given, Magentrix would first check for “Contact.Email” attribute and if provided when there is a match, the existing contact’s ID will be linked to the new community user.
You can also use the user provisioning to create Account and Contact in the CRM when necessary for community users. For example, by prefixing attributes “Account.” or “Contact.”, you can populate standard or custom fields in these records.
<< Enabling SAML and Configuring SAML Identity Providers | Enabling SSO with Facebook >>