Some of the preconfigured SAML applications require that you add a custom attribute to a user. You can use the schema to update the user profile with these attributes you create. The examples below are tailored to the Amazon Web Services cloud application. They contain references to the Role ARN and Provider ARN, which are specific to Amazon Web Services.
Create a custom schema
- Open the Schema insert page.
- Enter "my_customer" for customerId.
-
In the Request body area, paste the following text:
{
"fields":
[
{
"fieldName": "role",
"fieldType": "STRING",
"readAccessType": "ADMINS_AND_SELF",
"multiValued": true,
"displayName": "role"
}
],
"schemaName": "SSO"
"displayName": "Amazon"
}Notes:
- While schemaName can normally be any text value, the specific value "SSO" is required when configuring a custom schema for use with the Amazon Web Services cloud application.
- If you want to use more than one role, set multiValued to true.
- Click Execute.
- Authorize access to the Directory API.
You should see a 200 OK response, and the output of the request is displayed.
Add custom data to a user profile
-
Open the user update page.
-
Under userKey, enter the email address of the Google user whose profile you want to update. (You can also use an email alias, or unique user ID. See the Directory API documentation for details.)
-
In the Request body area, paste the following text, replacing <role ARN>, and <provider ARN> with the appropriate values, available in the Amazon Web Services cloud application article.
Note: If the custom field
type
is set tocustom
, you must also use thecustomType
parameter, and it must be set to a value to avoid returning an error.{
"customSchemas":
{
"SSO":
{
"role": [
{
"value": "<role ARN>,<provider ARN>",
"type": "custom"
"customType": "SSO"
}
]
}
}
}
- (Optional) To provide access to more than one role, add values within the {}, separating them with a comma ",".
- You can only set up multiple roles if you set multiValued to true when creating the schema.
- When multiple roles are available, the user will be prompted as to which one they want to use.
In this example, the two roles are SSO and tester:
{
"customSchemas":
{
"SSO":
{
"role": [
{
"value": "arn:aws:iam::038047464115:role/SSO,arn:aws:iam::038047464115:saml-provider/Google",
"type": "custom"
"customType": "SSO"
},
{
"value": "arn:aws:iam::038047464115:role/tester,arn:aws:iam::038047464115:saml-provider/Google",
"type": "custom"
"customType": "tester"
}
]
}
}
} - Click Execute.
- Authorize access to the Directory API.
You should see a 200 OK response, and the user profile is updated with the custom data.