The SAML response contents must include the user email address or the user name. For a complete list of requirements, see SAML Integration - High-Level View of the SAML Request and Response.
Before You Begin
Configure the provider metadata and share it with the Identity Provider (IdP). For information, see Configuring Provider Metadata for SAML Integration.
Procedure
-
The SAML response must include the user email address or the user name using any method:
-
Using the Command Center, map the IdP response attribute to a user attribute used in the Commvault software.
For information about accessing Command Center, see Accessing the Command Center.
-
Add the user email address or user name to the username attribute of the saml:AttributeStatement:
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> samluser1@commvault.com </saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> -
Add the user email address or user name to the NameID attribute of the assertion subject statement:
<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> samluser1@commvault.com </saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="<TimeStamp>" Recipient="<SP url>"/> </saml2:SubjectConfirmation> </saml2:Subject>
-