Use E-mail Address as the Name ID

Before you choose to use email addresses as the SAML Name ID, verify that your identity provider can return the desired type of ID. For some identity providers, particularly those that are hosted outside the organization's network, email address might be the only solution available.

To use E-mail Address as the Name ID:

  1. For Claim rule template, select Send LDAP Attributes as Claims, and then select Next.

    SAML E-mail Attribute

  2. Provide a claim rule name (example: E-mail Attribute).
  3. In the Attribute store field, select Active Directory.
  4. Under Mapping of LDAP attributes to outgoing claim types, select E-mail-Addresses in the LDAP Attribute column and E-mail Address in the Outgoing Claim Type column.
  5. Select OK.
  6. Select Add Rule.
  7. For Claim rule template, select Transform an Incoming Claim, and then select Next.

    SAML E-mail Address Attribute

  8. Provide a claim rule name (example: E-mail Address).
  9. In the Incoming claim type field, select E-mail Address.
  10. In the Outgoing claim type field, select Name ID.
  11. In the Outgoing name ID format field, select Email.
  12. Select the Select Pass through all claim values radio button.
  13. Select OK.

After completing the above steps, change the following:

  1. Under Trust Relationships (left-hand side), select Relying Party Trusts, and then double-click the entry for the CSM Relying Party.
  2. Select the Advanced tab.
  3. Select the Secure Hash Algorithm specified on the SAML Settings - Service Provider page. SHA-1 and SHA-256 are supported, but SHA-256 is the default and recommended option, particularly for customers who operate under General Data Protection Regulation (GDPR) jurisdiction.
  4. Select OK.