iMIS Power Suite - SSO Premium
SAML Profile Data
This article outlines how user profile data is sent from iMIS, via SAML attributes, to third-party sites.
Authoring the profile query
Review the following tips when authoring the Profile query:
- The base object should be CsNameUser. Then, join CsContact with the following relationship: When CsNameUser.Id = CsContact.iMIS Id
- The profile query must filter on the iMIS Username (not the iMIS ID). It should have only one visible prompt, marked required, filtering on CsNameUser.User Id.
- Other non-prompt filters are okay to add (using "AND" logic).
- Display any desired columns.
- Sorting is not necessary, as this query should always only return one result.
- Always enter column aliases into the Alias field. The standard iMIS column names do not translate correctly into SSO field names.
- The profile query must always return exactly one result, when queried using an iMIS username.
- You cannot use the Limit query results setting to limit the results. Your query must return one result without enabling this option.
- For dealing with non-numeric fields, you can add a custom SQL expression into the query to format the results as needed. Do not forget to include the alias. For example:
Expression Alias FORMAT([vBoCsContact].[BirthDate], 'd', 'en-us')birthdateWill format the birthdate in U.S. format, ex: 11/26/1985
Sample query
ASI provides a sample query for you to download as a starting point. It contains a number of out-of-the-box iMIS fields as well as the correct OpenID field names: Sample query zip folder
NameID formats
The SAML NameID is effectively the username, except with SAML there are many different ways to represent a person/subject besides just their username.
Note: Select a NameID format that your SP expects. This information is usually found in their documentation, as well as their metadata document.
The following NameID formats are supported:
| Name | SAML URN | Example Data | Description |
|---|---|---|---|
| Unspecified (Username) | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
|
BSMITH88 | The iMIS username is sent as the NameID. |
| Unspecified (iMIS ID) | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
|
1003817 | The iMIS ID is sent as the NameID. |
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
|
bsmith@example.org | The iMIS primary email address is sent as the NameID. | |
| Persistent | urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
|
6c555a4f-a7e2-4f4c-b82c-d3e56927928a | The iMIS Net Contact Key is sent. This is a GUID which uniquely identifies an individual in iMIS, but has no meaning to a third party. |
| Transient | urn:oasis:names:tc:SAML:2.0:nameid-format:transient
|
RrILhAy45XcEYzhCt9Hn | A pseudo-random 20-character alphanumeric identifier is generated for each request and sent as the identifier. |
Attributes
SAML Attributes are key-value pairs of data related to the user signing in.
There are two options that drive the SAML Attributes: Profile IQA Query Path and Role IQA Query Path.
Note: SAML attributes are completely optional. Therefore, it is not required to enter any query paths in order to perform SAML authentication. Regardless of the profile settings that are set, the NameID is always sent in the desired format.
Profile Query Path
If this option is specified, the query is run and the username of the user signing in is passed as the only parameter to the query.
The query is expected to return ONE result row and can contain as many columns of information as necessary.
Column names are SAML attribute names, and row values are SAML attribute values.
Role Query Path
If this option is selected, the query is run and the username of the user signing in is passed as the only parameter to the query.
The query is expected to return ONE column of data and can contain as many rows of information as necessary. The data is expected to be string or string-like (N/VARCHAR). If multiple columns are returned, only the first column is used.
Each row in the results is treated as a value. Depending on the Role Assertion Format setting, the values are either passed as an array, or as a comma-separated string.
SAML URN Attribute Names (Optional)
SAML / LDAP Attribute name URNs are supported. You will need to specify these URNs as the column names in the query to pass them to the SP.
SAML URNs are auto-detected in column names. If a column name begins with urn:oid:... then it is sent with the URI attribute name format (instead of basic format).
Important! Regardless of the data type of the column returned from the query, the iMIS SSO always transmits the attribute in string format. If you find that some numeric, date, bit, or other data types are not being formatted correctly when sent in the SAML attribute, try wrapping the column in a CAST() or CONVERT() statement to format the data as needed within the query or SQL.
LDAP OID Common Attributes
The following table lists some common LDAP OIDs that can be used if the connecting SP requires them.
| Display Name | OID | SAML Attribute Name |
|---|---|---|
| Username / UID / User Principal May not need to be sent if the NameID is configured properly. |
0.9.2342.19200300.100.1.1 (Username) 1.3.6.1.4.1.5923.1.1.1.13 (Persistent ID) 0.9.2342.19200300.100.1.44 (Unique ID) |
urn:oid:0.9.2342.19200300.100.1.1 urn:oid:1.3.6.1.4.1.5923.1.1.1.13 urn:oid:0.9.2342.19200300.100.1.44 |
| Name / Common Name / Display Name | 2.5.4.3 | urn:oid:2.5.4.3 |
| First Name / Given Name | 2.5.4.42 | urn:oid:2.5.4.42 |
| Last Name / Surname / Family Name | 2.5.4.4 | urn:oid:2.5.4.4 |
| 0.9.2342.19200300.100.1.3 | urn:oid:0.9.2342.19200300.100.1.3 | |
| Telephone Number | 2.5.4.20 | urn:oid:2.5.4.20 |
| Company / Organization Name | 2.5.4.10 | urn:oid:2.5.4.10 |
| Title | 2.5.4.12 | urn:oid:2.5.4.12 |
| Department | 2.5.4.11 | urn:oid:2.5.4.11 |
| Address | 2.5.4.9 | urn:oid:2.5.4.9 |
| Address 2 | 2.5.4.51 | urn:oid:2.5.4.51 |
| City / Locality | 2.5.4.7 | urn:oid:2.5.4.7 |
| State / Province | 2.5.4.8 | urn:oid:2.5.4.8 |
| Zip / Postal Code | 2.5.4.17 | urn:oid:2.5.4.17 |
| Country | 2.5.4.6 | urn:oid:2.5.4.6 |
Profile Example
If the query returns the following information:
| id | given_name | family_name | birthday | |
|---|---|---|---|---|
| 10015475 | Alice | Sample | asample@example.org |
|
The SAML attributes would look like this:
<saml:Attribute Name="id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">10015475</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="given_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">Alice</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="family_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">Sample</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">asample@example.org</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="birthdate" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string"/>
</saml:Attribute>Profile Example using OID Naming
If the query returns the following information:
| urn:oid:2.5.4.42 | urn:oid:2.5.4.4 | urn:oid:0.9.2342.19200300.100.1.3 |
|---|---|---|
| Alice | Sample | asample@example.org |
The SAML attributes would look like this:
<saml:Attribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">Alice</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">Sample</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xs:string">asample@example.org</saml:AttributeValue>
</saml:Attribute>