...
In addition to the above, the govconext application expects a few more attributes to be passed back in the SAML response, which are shown below. For a more elaborate overview and classification, please see the attributes overview. These attributes are also pre-populated but you can review them as per your requirements. Below is the list, and after the list an instruction on how to enter them. The attributes shown in bold are mandatory:
Name | Source Attribute |
urn:mace:dir:attribute-def:cn eduPersonPrincipalName | user.displayname userprincipalname* |
urn:mace:dir:attribute-def:displayName uid | user.displayname userprincipalname |
urn:mace:dirterena.org:attribute-def:eduPersonPrincipalName schacHomeOrganization | A manipulation of: user.userprincipalname* |
urn:mace:dir:attribute-def:givenName cn | user.givenname displayname |
urn:mace:dir:attribute-def:mail displayName | user.mail displayname |
urn:mace:dir:attribute-def:preferredLanguage givenName | user.preferredlanguage givenname |
urn:mace:dir:attribute-def:sn | user.surname |
urn:mace:dir:attribute-def:uid mail | user.userprincipalname mail |
urn:mace:dir:attribute-def:eduPersonAffiliation preferredLanguage | user.extensionattribute1** preferredlanguage |
urn:mace:dir:attribute-def:eduPersonScopedAffiliation eduPersonAffiliation | Join(user.extensionattribute1, "@[yourorganisationdomain].nl")** |
urn:mace:terena.orgdir:attribute-def:schacHomeOrganization | employee@[schacHomeOrganization]* |
| Informatie |
|---|
*) if your EntraID tenant contains multiple domains, always the correct domain belonging to the specific user must be sent in this attribute |
| Informatie |
|---|
**) your organization might use a different attribute for a ‘role’. It is possible to fixate this attribute to the literal text ‘employee’, see attributes |
Add an
...
attribute with a 1:1 mapping
For each of the claims in the table above, you need to go through the following steps. Attribute mappings that require manipulation are explained in the next section.
In the box ‘Attributes & Claims’, click ‘Edit’.
...
Enter the claim name (first column in the table above) in the ‘Name’ field and select the Source attribute that you found in the second column in the table above:
...
Repeat the steps for every attribute mentioned in the table above.
Add an attribute that requires manipulation
The urn:mace:terena.org:attribute-def:schacHomeOrganization is slightly more complex:
...
In the Manage transformation page, perform the following steps:
...
Select Extract() from the dropdown in Transformation field and click After matching button.
Select Attribute as a Parameter 1 (Input).
In the Attribute name field, select user.userprinciplename from the dropdown.
Select @ value from the dropdown.
Click Add.
Please add the default SchacHomeOrganization(s) used within your organization in the form ‘Technisch Intakeformulier govconext’ (usually the same as the main e-maildomain.nl). If your tenant contains multiple organizations, please provide each schacHomeOrganization in the table including their formal name, like Organisatie X and Y in the example below. If you serve multiple organizations that each have their own tenant, you can add them to the same table, like Organisatie Y and Z in the example below:
Organisatienaam in WAYF overzicht*: | Metadata URL*: | SchacHomeOrg**: | govguest | getgovroam | govvpn |
Organisatie X* | https://orgX.nl/metadata http:// | domainX.nl | j | j | n |
Organisatie Y | n | j | n | ||
Organisatie Z | j | j |
The SAML configuration in EntraID (AAD) is now ready.
Submit the intake form
...