https://community.appian.com/discussions/f/administration/38019/saml-dynamic-attribute-mappingHi, We have configured SAML login in our environment but we are having trouble mapping the email attribute. Our client has two types of SAML users: internal who have their email defined in the email claim. external who do not have any value defineden-USTelligent Community 12https://community.appian.com/thread/143067?ContentTypeID=1Mon, 25 Nov 2024 07:36:11 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:657e73f9-8f1c-4f4d-b1fc-6712b007716bPatricia<p><a href="/members/naveenkumarr7411">naveenkumar11800</a>&nbsp;</p> <p>We don&#39;t have a middleware layer between the IDP and Appian, so the second option wouldn&#39;t be valid for us. I&#39;ll check with my team and the IDP to see if we can get two metadata files for the configuration, as Stefan mentioned, or apply the logic you mention in the IDP&nbsp;itself.<br />Thank you!</p><div style="clear:both;"></div>https://community.appian.com/thread/143066?ContentTypeID=1Mon, 25 Nov 2024 07:26:32 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:775f9fdc-15bf-47d5-862d-f552b534fbbbPatricia<p>We are trying to figure out if we can do this directly in Appian as it will be the easiest and quickest for us while we review this issue with the IDP.</p><div style="clear:both;"></div>https://community.appian.com/thread/143065?ContentTypeID=1Mon, 25 Nov 2024 07:20:50 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:7efcbf49-c7e3-45ee-b795-eb2dfac128c3Stefan Helzle<p>Sure, you will need two of these.</p><div style="clear:both;"></div>https://community.appian.com/thread/143063?ContentTypeID=1Mon, 25 Nov 2024 07:13:30 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:0f082c7d-c414-486d-aaeb-71d542ea1471Patricia<p>I have tried this already but Appian doesn&#39;t allow to use the same Idp metadata file in two different confgurations. I get this error <em>&quot;Another identity provider already exists with the same entity ID provided in this metadata file. Entity IDs must be unique.&quot;</em></p><div style="clear:both;"></div>https://community.appian.com/thread/143033?ContentTypeID=1Sat, 23 Nov 2024 14:53:05 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:45eb1099-c9a8-46c2-88c9-5412a3a56d49naveenkumar11800<p>&nbsp;<a href="/members/patriciad0003">Patricia</a>&nbsp; and&nbsp;<a href="/members/stefanhelzle0001">Stefan Helzle</a>&nbsp;</p> <p>Stefan&rsquo;s suggestion about creating separate configurations is a great starting point! If that&rsquo;s not feasible, here are a couple of other ideas:</p> <ol> <li> <p><strong>Rule-Based Mapping at the IdP:</strong><br />If your IdP supports conditional logic, you could configure it to check if the <code>email</code> claim is empty. If so, fallback to using the <code>name</code> claim for the email attribute before sending it to Appian.</p> </li> <li> <p><strong>Middleware Preprocessing:</strong><br />If you have a middleware layer between the IdP and Appian, it could inspect the SAML assertion and adjust the claims dynamically (e.g., map <code>name</code> to <code>email</code> when the <code>email</code> claim is empty).</p> </li> </ol><div style="clear:both;"></div>https://community.appian.com/thread/143022?ContentTypeID=1Fri, 22 Nov 2024 14:32:14 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:23aff685-c7eb-4ff2-bfda-075a5483e582Stefan Helzle<p>Did you consider to create two separate configurations to the same IDP but with different mappings? When putting the two user groups into different Appian groups you can make them automatically use their respective login.</p><div style="clear:both;"></div>https://community.appian.com/thread/143018?ContentTypeID=1Fri, 22 Nov 2024 12:00:37 GMTd3a83456-d57b-489c-a84c-4e8267bb592a:22d5aa9c-2941-4a8a-88f6-cf726d3a5ef5David Jimenez <p>Could&#39;nt be possible map that value in another way?&nbsp; I mean, apply that logic on the client side.,</p><div style="clear:both;"></div>