Single Sign On (SSO) allows clients to login through their identity provider. Instead of having to type in their Domain Name, User Name and Password, users will instead be redirected to their identity provider associated with their domain.
...
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifiername" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressgivenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail AddressGiven Name"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameemailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="NameE-Mail Address"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoapmicrosoft.orgcom/ws/20052008/0506/identity/claims/givenname"windowsaccountname%22 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given NameWindows account name"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoftxmlsoap.comorg/ws/20082005/0605/identity/claims/windowsaccountnamenameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Windows account nameName ID"/>
The For example, Chemwatch system will use one of the name claims, i.e., Name ID, Name, Given Name or Windows account name, as a first preference during SSO login, and will populate the User Login and Person Name fields (during self-registration on first user login) on the Chemwatch user record if this claim is available.
If both of Name ID, and one of the other name claims are available then Name ID maps to User Login and the other one maps to Person Name fields on the Chemwatch user record.If the Name ID claim is not available then the Name claim will be used to populate the User Login and Person Name fields in Chemwatch user records.
If the Name claim is not available then the Given Name claim will be used to populate the User Login and Person Name fields on the Chemwatch user record.
One of either Name ID or Name or , Given Name or Windows account name claims must be made in order to successfully log in to Chemwatch via SSO. The E-mail Address claim will be used to populate the Email field of the Chemwatch user record if available.
...
If you set your IDP as above, then inside Chemwatch application: your SAM-Account-Name will get mapped to our User Login field, your E-Mail-Adresses will get mapped to our Email and your Display-Name will get mapped to our Person Name fields respectively.Important point here to remember is that, as per above example, your Outgoing Claims: Name ID and and your E-Mail Address-Adresses will get mapped to our User Login and Email fields respectively. The 3rd Outgoing Claim: Name - gets mapped to our Person Name field inside Chemwatch application.
In absence of the 2nd and the 3rd Outgoing Claims: E-Mail Address and Name as per above example, Name ID gets mapped to both Person Name and User Login fields at our end. But Email fields at our end will be left blank.
In absence of just the 3rd Outgoing Claim: Name as per above example, Name ID gets mapped to both Person Name and User Login fields at our end. And the E-Mail Address gets mapped to our Email field.
In this example, the Name ID is what uniquely identifies the SSO user in the system.
Sending the Outgoing Claim: Name ID is required.
You choose what your LDAP Attributes you want to map against those Outgoing Claim Types.
The metadata.xml from the Chemwatch side that will be used to configure your IDP looks like the following:
...