Topics on this page
Attribute claims guide
Attribute claims in Trend Cloud One
When setting up SAML attributes and claims, it is common to set NameID
to a specific value. This is important in configurations such as ADFS
where you need to manually specify the NameID
value, as opposed to other services that automatically configure it for you.
NameID
must be present, otherwise single sign-on does not work. Trend Cloud One uses the NameID
to identify a SAML user in Trend Cloud One; it also maps optional claims for Name
, Locale
, and Timezone
.
When you navigate to My Profile, you are not considered to be inside an account. Therefore you should expect to see a blank e-mail since it is not used alongside your other mappings.
Default values
If Name
, Locale
, or Timezone
are either not mapped during your identity provider creation, or not present or valid in your identity provider's directory, then these optional claims use the following default values:
-
Name: Your
NameID
from the SAML assertion. Note that the format of theNameID
is determined by your identity provider configuration. You should use a persistent identifier, for example email, based on the user's identity rather than a transient value. -
Locale:
English
unless your browser language is set toJapanese
. Note that if a language has previously been selected from Trend Cloud One's language picker, then it uses that cached value instead. -
Timezone: Defaults to the time zone value that your browser determines.
Map to locale and timezone
Locales currently supported are en
(English) and ja
(Japanese).
Timezone should match the
database name, for example America/Toronto
.
Customize claims from the service provider
Most service providers provide the ability to customize claims:
- In Microsoft Entra ID, this is called Transformations.
- In Okta, this is done with their Expression Language. Note that they also have different user references. The most common is the user profile (
user.
) but data can also come from the application user profile (appuser.
) or IdP user profile (idpuser.
). - In Active Directory Federation Services (ADFS), you can do this when creating a Custom Rule.
- In Google you can create Custom Attributes for user profiles. However there is no expression support at this time.
Here are some examples of why you would want to do this:
- Add new name, timezone, or locale fields to user profiles and use those to map to if the identity providers user directory is insufficient or if you don not want to use the default values from Trend Cloud One.
- Combine first and last name and map that to
Name
in Trend Cloud One. - Trim the
preferredLanguage
from a Microsoft product, which is in the format ofen-US
to just returnen
and map that toLocale
.