OleksandrV.54092 (Customer) asked a question.
Hello.
I have a trouble with pre-configured "Figma" app in Okta.
With this app I want to use domain other than our main domain. In other apps, they I've created on my own, I simply change app username to the custom with the following expression:
substringBefore( user.email, "@") + "@new-domain.com"
And it works as expected - apps see username with new domain.
But this trick doesn't work with Figma. Whatever I do, this app sees username with our main domain, which is not what I need.
I tried to change username, tried to map emailAddress attribute under app profile editor. Nothing helps.
Figma's support says that they looks for "emailAddress" attribute in saml response. And looks like Okta ignores my custom domain. Maybe I'm missing something?
Thanks.
Go up to the Directory tab and select Profile Editor. Locate your app's profile in the list and click the Mappings button. Select the "Okta User to <your app>" button at the top to view how Okta is mapping Okta profile attributes to your app's attributes. Look for the "emailAddress" attribute in the app's attributes in the right column. Now, in the left column, you can modify the expression Okta uses to populate the emailAddress attribute in the assertion. You should be able to use the same expression you mentioned above (or something close to it).
BTW, what you described above was modifying the app's username attribute, but it sounds like the app doesn't even use that attribute. Instead it uses what it finds in the emailAddress attribute, which is hidden by the template. Modifying the app profile attribute mapping gets you in under the template settings. Best of luck.
Thanks, Mike, for the answer. I already tried this solution earlier, and this is the problem - it does not work.
This my current settings, and here is decoded SAML response:
array (
'Value' => 'username@OLD-DOMAIN.com',
'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
)
As we can see, even with custom profile attributes, Okta ignores them. Maybe the problem is because of saml1.1?
Hi
I am able to achieve this. screenshot below. Can you post the attribute details of emailAddress ? Is it mandatory attribute ?
Hello. Thank you for reply.
I tried to do the same as you did, but that doesn't work either.
This is what I can find in SAML response:
array (
'Value' => 'username@OLD-DOMAIN.com',
'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
)
Even with custom expression and mapping for the "emailAddress" attribute, Okta ignores it and use default expression.
Looks like this is an issue with pre-build app, because with manually build apps everything works like expected.
I think you are right. even I see that old email address is being passed in the SAML response.
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">sandeep_khurana@live.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2020-04-30T02:02:57.577Z"
Recipient="https://www.figma.com/saml//consume" /></saml2:SubjectConfirmation>
</saml2:Subject>
I think you can't modify the pre build app configurations.