Hi,
We have configured SAML login in our environment but we are having trouble mapping the email attribute. Our client has two types of SAML users:
We are trying to find a way to make this mapping dynamic so it can work for both type of users with the same Idp. We need a way to validate if the email claim is empty and map the name claim instead, is this possible?
We haven't found any way to do this but we wanted to ask in case anyone knows or has any ideas that we can try.
Thanks in advance
Discussion posts and replies are publicly visible
Patricia and Stefan Helzle
Stefan’s suggestion about creating separate configurations is a great starting point! If that’s not feasible, here are a couple of other ideas:
Rule-Based Mapping at the IdP:If your IdP supports conditional logic, you could configure it to check if the email claim is empty. If so, fallback to using the name claim for the email attribute before sending it to Appian.
email
name
Middleware Preprocessing:If you have a middleware layer between the IdP and Appian, it could inspect the SAML assertion and adjust the claims dynamically (e.g., map name to email when the email claim is empty).
naveenkumar11800
We don't have a middleware layer between the IDP and Appian, so the second option wouldn't be valid for us. I'll check with my team and the IDP to see if we can get two metadata files for the configuration, as Stefan mentioned, or apply the logic you mention in the IDP itself.Thank you!