Public
Honored Contributor

Using SSO (Single Sign on) with SAML assertion with Custom profile attributes and badges

Not sure this will be of much use for many, but hopefully one day it saves someone hours of time and a big headache - This is how you both solve for passing custom profile attributes via SAML into Khoros, as well as how to make badging work with custom profile attributes. .

*Note - I am not an engineer, I have literally no idea what I am doing, but I made it work. If anyone has advice how to better do any of this, please share!

In my situation, we are utilizing OKTA as our IDP, which we want to pass custom profile attributes into Khoros. For example, we award badges in Community as people complete training in our LMS system. As such, when users complete the learning, their OKTA profile is updated to reflect that, and then OKTA passes that completion value into Khoros, which kicks off awarding the specific badge. 

If/when you want to utilize your SSO integration with Khoros to pass over custom profile attributes via the assertion, this is how you do it. How Khoros calls out custom attributes is very literally different each step of the way, so pay attention to each snippet.

Within your SAML Assertion Mapping settings page in the 'Dynamic Assertion Mapping' field -  - /t5/bizapps/page/tab/community%3Aadmin%3Afeatures%3Acommon.feature.samlss%3Asaml-sso-admin-mapping

You want to map it like this

 

 

custom_profile.comm_301=testmeow8

 

 

1.PNGBadge Logic
If you want to then map custom profile attributes with badge logic you need to use the following (Notice it's different)

 

 

custom.custom_profile.comm_301 = 'Toast'

 

 

badgesaredifferent.PNG
Does it work?
And then when you want to actually check if it all works, go into the API browser in stage and check with

 

 

SELECT c_comm_301 FROM users WHERE id = '47'

 

 

Iamnotgod.PNG

Results
Which provides you with the results

 

 

{
  "status" : "success",
  "message" : "",
  "http_code" : 200,
  "data" : {
    "type" : "users",
    "list_item_type" : "user",
    "size" : 1,
    "items" : [ {
      "type" : "user",
      "c_comm_301" : "Toast"
    } ]
  },
  "metadata" : { }
}

 

 

And that's how you do that! 🚀

---------------------------------------------------

For anyone curious, this is how our OKTA Assertion is setup while I was testing it

okta.PNG

 

edit #5 - I give up on trying to format this thing to make it pretty, yall get the point!

6 Replies 6
Honored Contributor

@StanGromer We're actually not even getting that far. When we use Okta to log in for some reason the sso id in community gets set to the user's email address.

Any hints how to make Okta send the ldap uid to the community's sso id field? 🙂


CM at Spotify
Community Ergo Sum

@PerBonomi Here's how we're passing it over in OKTA, at least at quick glance I think it's the two spots that would matter:

okta.PNG'okta2.PNG

Honored Contributor

Thanks @StanGromer !

We don't have all the same settings, but you helped me remain persistent and it seems to work now 🙂


CM at Spotify
Community Ergo Sum
Trusted Contributor

Thanks @StanGromer for sharing!

I don't know how this could work with our SSO protocol, but we do have a cross-resource gamification on our roadmap. This may indeed turn out to saving hours of work in the future 🙂 We'll see 🙂 

 

New Commentator

Can Khoros integrate with more than one IDP provider for the same community?  For example we may use one provider for employees and internal users and different one for our customers

@chanda45  Yes it is possible to integrate with multiple SAML IDPs. There is a config and a setting that would have to be enabled. 
cc @NarendraG 

Welcome to the Technology board!

Curious about our platform? Looking to connect on social technology? You've come to the right place!

Are you a Khoros customer? For direct assistance from our Support team, please visit the Support Forum.