• Buy Now
    • Rackspace Cloud
    • Email & Apps
    • Fanatical Support for AWS
    • Managed Google Cloud Platform
    • Office 365
  • Log In
    • MyRackspace Portal
    • Cloud Control Panel
    • Rackspace Webmail Login
    • Cloud Office Control Panel
  • Rackspace Logo
  • Developer Home
  • Developer Documentation
  • Blogs ▼
    • Technical Blog
    • Rackspace Blog
    • Solve: Thought Leadership
  • Support Documentation

Developer Docs


Let’s Build Something Powerful Together!

End-to-End Multicloud Solutions.   Solving Together.™   Learn more at Rackspace.com

Submit an issue
  • Rackspace Identity Federation Guide
  • Overview
    • Features
    • Compatibility
    • Dedicated hosting
  • Getting started
    • Prerequisites
    • Summary of steps
      • Add Rackspace Federation to your identity provider
      • Add an Identity Provider
      • Configure the Attribute Mapping Policy
      • Log in
    • Concepts
  • Configure Third-Party SAML providers
    • Active Directory Federation Services
      • Configure ADFS
      • Attribute mapping for ADFS
    • Okta
      • Prerequisites
      • Configure Rackspace Federation at Okta
      • Okta metadata
      • Next steps
      • Optional settings
      • Attribute mapping for Okta
      • Mapping Okta groups to Rackspace
      • Mapping Rackspace permissions to Okta groups
      • Attribute policy mapping example
    • Other SAML providers
      • SAML configuration items
      • SAML attribute mapping
  • Configure Attribute Mapping
    • Required SAML attributes and mapping example
      • Required values
      • Setting values with Attribute Mapping
      • Example policy with required attributes
    • Assigning Rackspace permissions
      • Basic example
      • Permissions by groups
    • Permissions by groups example - Cloud
    • Permissions by groups example - Dedicated Hosting
    • Assigning Fanatical Support for AWS Permissions
      • Fanatical support for AWS permissions
      • AWS console and API permissions
      • AWS account creator permissions
      • Complete mapping policy example
    • Rackspace Cloud roles reference
  • Manage Identity Providers
    • Basic tasks
    • Update metadata and certificates
    • Update the Attribute Mapping Policy
  • Get support
    • Troubleshooting
      • Need to save a SAML response in the Chrome browser
      • Problems creating an Identity Provider
      • Problems logging in
      • Problems with roles or access
      • Other issues or questions
    • Get Rackspace support
  • Appendix: Attribute Mapping Policy Reference
    • Introduction
      • Technology background
      • What is Attribute Mapping?
      • Mapping Policy for Widget.com
    • Attribute mapping basics
      • The SAML assertion
      • Required attributes
      • Mapping attributes
      • Next steps
    • Attribute Mapping Examples
      • Working with defaults
  • Document history and additional information
    • Additional resources
    • Copyright and disclaimer

Attribute mapping for ADFS#

The normal method for mapping ADFS users to Rackspace roles or permissions is to use ADFS Groups. This guide gives an example of setting up your Attribute Mapping Policy to send both the ADFS Groups to which users belong and user information as SAML assertions for proper mapping.

Use the following steps for ADFS attribute mapping:

  1. Go to the Claim rules for the Rackspace relying-party trust that you set up, as shown in the following image:
X

  1. Add a new rule for the LDAP Attribute named Token-Groups - Unqualified Names with an Outgoing Claim Type of Group, as shown in the following image:

X

To learn more about customizing how you include Active Directory group membership in your SAML attributes, see https://msdn.microsoft.com/en-us/library/ff359101.aspx

The following example shows a Rackspace YAML (.yml) Attribute Mapping Policy that you can use when you configure your Identity Provider with Rackspace. This example assumes that you have a group named rackspace-billing with users who you want to access Rackspace billing services by using the billing:admin Rackspace role.

More information#

When you map ADFS users to Rackspace roles or permissions, ensure that you perform the following tasks:

  • Change the groups specified in the example to match your configured outgoing claim type for the ADFS groups.
  • At a minimum, remember to update the example's domain value to your Identity Domain, which is found on the Details page for the Identity Provider.
  • Validate that any values that are mapped to email and expire are properly specified for your specific SAML attributes or assertions. For example, in the following example policy, email is set by using the path ("{Pt}") syntax in the Attribute Mapping Policy language to point to the NameID attribute in the SAML assertion, as shown in the following example:
mapping:
  rules:
    - local:
        faws:
          groups:
            multiValue: true
            value: "{Ats(http://schemas.xmlsoap.org/claims/Group)}"
        user:
          domain: "your_domain_id_goes_here"
          # Update to your Identity Domain from the Identity Provider details page
          email: "{Pt(/saml2p:Response/saml2:Assertion/saml2:Subject/saml2:NameID)}"
          expire: PT4H
          # This would configure a maximum session duration of 4 hours, you might want to set this to a SAML-provided value
          name: "{D}"
          # This value matches to the SAML attribute "name" by default.
          roles:
            - "{0}"
          # This substitution states to take the value of the return from the first element of the remote role.
      remote:
        - multiValue: true
          path: |
              (
                if (mapping:get-attributes('http://schemas.xmlsoap.org/claims/Group')='rackspace-billing')then    'billing:admin' else ()
              )
          # The groups specified here are examples. You should substitute your own groups.
  version: RAX-1
  • Ensure that you validate and modify the following items in your own Attribute Mapping Policy:
    • The ADFS groups that users belong to and to which you want to map specific Rackspace permissions
    • The expire value or path
    • The email value or path

For more examples and a complete guide to the Attribute Mapping Policy language, see the Appendix: Attribute Mapping Policy Reference.

Previous Configure ADFS
Next Okta
Developer Network
  • Developer Center
  • API Documentation and User Guides
  • SDKs
  • Rackspace How-To
Blogs
  • Technical Blog
  • Rackspace Blog
  • Solve: Thought Leadership
Other Information
  • Customer Stories
  • Events
  • Programs
  • Careers
  • Style Guide for Technical Content
©2020 Rackspace US, Inc.
  • ©2020 Rackspace US, Inc.
  • About Rackspace
  • Privacy Statement
  • Website Terms
  • Trademarks