Use this guide to enable the SecureAuth IdP Transformation Engine, which sends customized user information within SAML and WS-Federation assertions.
The Transformation Engine can modify the data within and / or the format of the Profile Properties that are mapped to directory attributes, and / or append static characters to the information. These customizations can be done as global adjustments or as a result of conditions met (if, then; when, otherwise; etc.).
Some common examples are to change the characters to all lowercase or uppercase letters (EXAMPLE; example), add a domain to the User ID (company\username; firstname.lastname@example.org), assert only specific characters from a property (last four digits of SSN), filter user's groups to present only those required, and provide missing information if not present in the property (if Aux ID 1 property contains "word1", then prepend Aux ID 1 with "word2").
The flexibility of this feature enables limitless, post-authentication data modification without requiring additional storage in the directory.
1. Have general scripting, XSLT, and .NET knowledge
2. Create a New Realm or access an existing SAML or WS-Federation assertion realm in the SecureAuth IdP Web Admin
3. Configure the Data tab with an on-premises directory integration and the necessary directory attribute - Profile Property mapping
SecureAuth IdP Configuration Steps
1. In the Post Authentication section of the Post Authentication tab, select a SAML option or WS-Federation Assertion from the Authenticated User Redirect dropdown
User ID Mapping
2. Click Transformation Engine
3. Check Enable Transformation Engine
4. Add customization to the provided code, utilizing the SecureAuth IdP Profile Property values
The information saved here is not saved in the web.config file
Access the saved information (for realm duplication / movement purposes) at D:\SecureAuth\SecureAuth<realm>\PostAuthData\usersprofiledata.xslt
Click Save once the configurations have been completed and before leaving the Transformation Engine page to avoid losing changes
The default (out-of-the-box) code provided in the Web Admin
Appends +1 to the beginning of the Phone 1 Profile Property data for every user accessing the realm
Conditional circumstances code enables SecureAuth IdP to alter the data being sent if the conditions outlined are met. Utilize "if, then", "choose", "when, otherwise", and other statements to create various outputs.
Below is code with conditional circumstances examples, followed by explanations of what is presented.
When the current "Value" (Group Name) is Domain Admins, change the format of the name to all uppercase (calling the UpperCase function – see the Data Manipulation section for more information); otherwise, leave the "Value" as currently formatted