How to add custom claim mapping for Single Sign On (SSO)

In this article, we will show you how to set up custom claim mapping for Single Sign On (SSO). Typically you might want to add custom claims where the username identifier you are using does not directly match the username identifier required for Kallidus to authenticate you.

There are 2 scenarios to consider:

• You can manage and edit the claims yourself
• You have fixed claims that you cannot edit

Most customers do not need to create custom claims. This is only necessary if you use a custom identifier (which is quite rare).  

Set up custom claims where you manage and edit them yourself

By default, Kallidus will match on preferred username. This section will give instructions on how to edit this if it does not match.  You will need to add a custom attribute to the claims with the name "https://www.kallidus.com/username".  

This section includes details for:

• Microsoft Azure set up
• Google Workspace set up

Microsoft Entra ID

These steps need to be undertaken in Microsoft Entra ID by your IT team. We assume the Kallidus configuration is already set, and you are creating a custom claim for this:

1. Go to 'Enterprise applications' and find the Kallidus configuration, which should already be set up 
2. Select the 'Single Sign-on' option from the left-hand menu:
3. Select 'Edit' in the Attributes and Claims section:
4. Add a new claim.  The name of the claim is https://www.kallidus.com/username:
5. Add the Source. Here, you need to add the value you wish to use. It needs to match the username field in the Kallidus suite:
6. Select 'App registrations', locate the Kallidus configuration in the list and highlight it
7. Select the Manifest option from the menu in the left panel
8. Change 'AcceptmappedClaims' to True:

Please note:  We do not support the use of custom signing keys.  You will need to set the acceptMappedClaims property to true in the application manifest. As documented on the apiApplication resource type. Setting the property allows an application to use claims mapping without specifying a custom signing key.

Google Workspace

1. Go to 'Apps'
2. Go to 'Web and mobile apps:
3. Select and open the app you have created to link with Kallidus:
4. Select to expand the SAML attribute mapping section
5. Select to 'Add Mapping':
6. Select the directory field which maps to your username in the Kallidus platform 
7. Under App attributes, add https://www.kallidus.com/username
8. Save your changes

Set up custom claims where they are fixed and cannot be changed 

When setting up a new SSO identity provider within the settings area of the Manage Users area,  you can setup claim mappings.  Typically this is used where the username used in the Kallidus platform to identify a user is not a standard username claim/attribute used by the SSO identity provider (e.g. preferred_username in an Entra ID OpenID Connect identity provider).  It helps overcome differences between user data that you send from your identity provider and those used when setting up users in Kallidus.  

To do this, either edit an existing SSO setup or create a new one within the Settings > SSO providers section. Claim mappings can be added in the Claim mappings section.  

If you need assistance on this please do raise a ticket.