Attribute Mapping enables the transformation of attribute names and values from authentication methods. It is possible to change the case of existing attributes and also create arbitrary attributes based on logical queries about the presence or absence of method attributes and method attribute values.

Using Attribute Mappings it is also possible to perform conversion of the Finnish electronic client identifier (sähköinen asiointitunnus, SATU) to a personal identity number (henkilötunnus, HETU) via the Finnish Population Register using the vtjkysely system.

An example use of attribute mapping is for the harmonization of attribute names and data formats across different authentication methods. For example, the TUPAS authentication method sends a customer's personal identity number in a field called CUSTID when the value of CUSTTYPE is 01. If the value of CUSTTYPE is 03, the CUSTID contains a company number (y-tunnus). Using Attribute Mapping, it is possible to configure a set of rules so that customer numbers are passed to applications in a field called "hetu", and company numbers are in a field called "y-tunnus".

It is also possible to get a person's Finnish electronic client identifier (sähköinen asiointitunnus, SATU) from a Finnish Identity Card (HST-kortti) using the Ubisecure Certificate Authentication provider. This number can then be converted to a personal identity number (henkilötunnus, HETU) via the Finnish Population Register using the vtjkysely system.

Figure 1 shows an example of how attributes from different authentication providers can be mapped and transformed using Method Attribute Mapping. In the case shown, the personal identity number of citizens are presented to an application in a consistent variable called 'hetu', regardless of whether they have authenticated using a Finnish Identity Card or using their bank. Similarly, company numbers are detected and presented in a field called "y-tunnus".


Figure 1: Method Attribute Mapping example

Another common use for method attribute mapping is the mapping of federated identity data.

For simple Authentication Method attribute renaming, an Authorization Policy can be used. Authorization Policies determine which user attributes are passed to Web Applications. It is also possible to rename method attributes using the method tag, as described in Management UI site methods - SSO.

The attribute mappings screen (Home, Attribute Mappings) presents a list of method attribute mapping tables.


Figure 2: Attribute Mappings list

New Mapping
Create a new method attribute mapping table
Delete Mapping
Delete selected method attribute mapping tables
Method attribute mapping table
Method attribute mapping table configuration view may be opened by clicking the name of method attribute mapping table in the list.

Main View


Figure 3: Attribute Mappings main view

Name
Name of the method attribute mapping table
Description
Description of the method attribute mapping table
Update
Update the modified description
New
Create a new method attribute mapping table
Delete
Delete the method attribute mapping table
Rename
Rename the method attribute mapping table

Attributes View


Figure 4: Attribute Mappings Attributes view

Attributes view shows the contents of a method attribute mapping table. Each entry of the attribute mapping table consists of a name, a value, and an optional precondition.

Attribute Mapping Entry
Click a method attribute mapping entry to edit values
Name
Name defines the name of an attribute to be set.
Value
Value may be a constant string, a method attribute enclosed in curly braces, or a combination. Method attribute names enclosed in curly braces are replaced with corresponding method attribute values. Final attribute value is a concatenation of constant strings and replaced method attribute values. Curly braces may also contain an operation defined by a prefix. Syntax and supported prefixes are described below.
- Prefix-syntax
  Entries may contain strings of following form: {prefix:value} Prefix defines the operation to be performed for value, which in turn may be a string, a method attribute, or an operation. If prefix is omitted, method is assumed as a default.
- Supported prefixes
  - method
    Value refers to a method attribute. Entry is replaced with value of defined method attribute. If no prefix is defined, default is method. For example, {method:CUSTID} and {CUSTID} both refer to value of method attribute CUSTID.
  - uppercase
    Value is transformed to upper case. For example, {uppercase:{CUSTNAME}} is replaced with value of method attribute CUSTNAME transformed to uppercase.
  - lowercase
    Value is transformed to lower case. For example, {lowercase:{CUSTNAME}} is replaced with value of method attribute CUSTNAME transformed to lowercase.
  - vtj
    Used only for Finnish identity number conversion. Value must be satuhetu. Entry is replaced with a result of a satu-hetu query. The utilized authentication method must be assigned with a satu-hetu-configuration and must have resolved the user's certificate. Please refer to Ubisecure Certificate or ETSI MSSP Authentication method documentation for more information about configuring soso. For example, {vtj:satuhetu} is replaced with result of satu-hetu query.
Precondition (optional)
Precondition may be defined for setting an attribute. Precondition syntax follows the LDAP search filter syntax. Please refer to RFC 2254 (http://www.rfc-editor.org/rfc/rfc2254.txt) for a specification of the LDAP search filter syntax.
Supported logical connectors include AND (&), OR (|), and NOT (!). Equality (=) symbol is the only supported matching operator. The value may be a constant string or an asterisk (*) symbol. Asterisk represents all non-empty values. Attribute names and values are case-sensitive, and must not contain any of the following characters: "&", "|", "!", "=", "(", and ")". Please refer to the authentication methods documentation for information about the attributes set by specific methods.
Example: CUSTTYPE=01 represents a simplest possible precondition. It consists of a single method attribute name CUSTTYPE, an equality operator, and a value 01. Precondition evaluates successfully if the value of method attribute CUSTTYPE is exactly 01. More complex preconditions may be constructed with logical operators. For example, precondition (|(CUSTTYPE=01)(CUSTTYPE=02)) evaluates successfully if the value of method attribute CUSTTYPE is either 01 or 02.
Add
Create a new attribute mapping entry
Remove
Remove selected attribute mapping entries

Methods View


Figure 5: Attribute Mappings Methods view

Methods view shows the list of available authentication methods. Selected methods are assigned with the current method attribute mapping table. Each method may be assigned with at most one attribute mapping table at a time. Therefore assigning a mapping table for a method replaces the previous assignment.

Update
Assign the method attribute mapping table with the selected authentication methods.

Browser not supported