Mapping Active Directory, LDAP, and Workday Values in a SAML template

Important Note

The Template SAML 2.0 application is deprecated. It is strongly recommended that you use the SAML App integration Wizard instead of the template app for creating new SAML integrations in the Admin Console. The Wizard is more powerful and easier to use than the Template and will get even better over time. The ability to create new Templates may also be restricted in the future. However, existing Templates will continue to be supported. See Using the App Integration Wizard for more details.

When you integrate Okta with third party SAML 2.0 service providers using the Template SAML 2.0 application, you can map Active Directory, LDAP, and Workday user values to SAML attributes. In addition to the standard Okta profile attributes (First Name, Last Name, Email, and Okta Username), you can use additional attributes that have been pulled into Okta from other sources.

To configure your Template SAML 2.0 application:

  1. From the Administrator Dashboard, select Applications and click the Add Applications button.

  2. Enter Template SAML 2.0 App in the search field and select it.

  3. After configuring the General Settings for this app, select the Sign On tab and click the View Setup Instructions link.

    For a list of the supported values, select the Active Directory, LDAP, or Workday link on this page.

    mapping1.png

  4. Identify the instanceId for the repository you want to use. The instanceId of all the configured Active Directory, LDAP, and Workday instances are available on your screen. For example, in the screenshot below, you can see an LDAP instance with the ID of "0oa1npu9k2M2FZAGTMPV". Use that instanceID for each attribute referenced in the mapping.

    ldap.jpg

  5. On the General tab of the Template SAML 2.0 app, configure the attribute statement field to map user values to SAML attributes. For each repository type (Active Directory, LDAP, and Workday), the attribute names and lists are slightly different. Make sure you use the corresponding attribute names for your repository. The Application Specific Attributes section provides a list of the Active Directory, LDAP, and Workday attribute names and formats that are available.

    Note: The maximum characters allowed in a SAML attribute is 1024 characters. The attribute formatting information is not required. If you run out of space in this attribute statement, try removing the format statement below for each attribute; for example urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified.