...
Name | Source Attribute |
urn:mace:dir:attribute-def:eduPersonPrincipalName | user.userprincipalname* |
urn:mace:dir:attribute-def:uid | user.userprincipalname |
urn:mace:terena.org:attribute-def:schacHomeOrganization | A manipulation of: user.userprincipalname* (see further) |
urn:mace:dir:attribute-def:cn | user.displayname |
urn:mace:dir:attribute-def:displayName | user.displayname |
urn:mace:dir:attribute-def:givenName | user.givenname |
urn:mace:dir:attribute-def:sn | user.surname |
urn:mace:dir:attribute-def:mail | user.mail |
urn:mace:dir:attribute-def:preferredLanguage | user.preferredlanguage |
urn:mace:dir:attribute-def:eduPersonAffiliation | user.extensionattribute1**fixed text value ‘employee’ (without ' ', Microsoft will automatically add “ “) |
urn:mace:dir:attribute-def:eduPersonScopedAffiliation | A manipulation in the form: employee@[schacHomeOrganization]* (see further) |
| Informatie |
|---|
*) if your EntraID tenant contains multiple domains, always the correct domain belonging to the specific user must be sent in this attribute |
...
| Informatie |
|---|
...
**) your organization might use a different attribute for a ‘role’. It is possible to fixate this attribute to the literal text ‘employee’, see attributes
for more information: see the wiki page attributes |
For each of the claims in the table above, you need to go through the following steps.
Attributes that are exact copies of EntraID claims can easily be created based on the instruction in the next paragraph.
Attribute mappings that require manipulation are explained in the next sectionsubsequent sections.
Add an attribute with a 1:1 mapping
In the box ‘Attributes & Claims’, click ‘Edit’.
...
Enter the claim name (first column in the table above) in the ‘Name’ field and select the Source attribute that you found in the second column in the table above:
...
For urn:mace:dir:attribute-def:eduPersonAffiliation it is sufficient to simply type ‘employee’ in the source attribute field without the quotes, Microsoft will automatically put the word in double quotes.
Repeat the steps for every attribute mentioned in the table above.
...
The Affiliation attribute contains a role that can be set to ‘employee’ by default. The ScopedAffiliation attribute should also add the domain of the user, which is in fact the same as schacHomeOrganization. This can be achieved by a transformation of the type ‘RegexReplace()’ with:
Regex pattern: ^.*\@(?'domain')
Replacement pattern (vervangingspatroon): employee@{domain}
...
Submit the intake form
Please complete the form ‘Technisch Intakeformulier govconext’ with the metadata-URL and default schacHomeOrganization and the other required information and send it through the govroam ‘klantportaal’ and/or ‘tech@govroam.nl’.
...
Once govconext is setup by stichting govroam, you will receive a notification that it is ready to use, and you can then log in to the govroam services that your organization subscribed to via your own IdP. …
Please test
You can then test the authentication and attribute mappings by browsing to:
govconext-Acceptatie: https://acc.govconext.nl/debug
govconext-Productie: https://govconext.nl/debug
The results …and then search for your organization, after which you can login at your own organization. After that, the debug page should look like the screenshot below. The first four default Microsoft claims will be validated as a warning (yellow symbol) which you can ignore. All others must be validated correctly with a green symbol:
...