Update user fields via SSO user transform map

kristenmkar · ‎04-11-2025

Good afternoon!

We currently have sso/cac authentication configured within our instances, specifically via digest token - we utilize a web service to grab the cac certificate's header values and then run them against the user transform mapping. We have 1 coalesce field set as well as additional mapping fields. The transform map works perfectly to create a new user and map the fields when the user doesn't yet exist, however, I cannot figure out how to use the transform map to UPDATE the user's fields if they already exist in the system. We have a particular field mapping from the headers that we need to update each time the user logs in. I was hoping that I could just utilize the transform map since it is already configured to map these fields, however, I cannot get it to trigger if the user is already found in the system. I tried to write rules within the transform map to update the fields, but they don't seem to be triggering. I'm wondering if there is something else I'm missing outside of the transform map configurations. Do I need to update the actual sso login script? I thought there was out of the box functionality to update a user record via the transform map, but I think I am missing some logic. Do you guys happen to have any suggestions?

Thank you!

Randheer Singh · ‎04-12-2025

Hi @kristenmkar ,
I am not sure I fully understood the SSO flow that you have described. But if you are using SAML, there is an "Update user record upon each login" checkbox under the User Provisioning tab of the IdP configuration.

A similar option is also available for OIDC

Thanks,

Randheer

kristenmkar · ‎04-24-2025

I apologize as my initial post was a bit difficult to follow - Our SSO setup is somewhat customized so it was hard for me to follow myself! But maybe you all have suggestions or ideas!

We currently utilize the Digested Token SSO logic, which is the reason I don't have the option available to "update the user with each login" via the checkbox. Basically when a new user accesses our system, we use a WDSL file to extract/parse specific information from their headers (including the field I want to update each time the user logs in) via a web service. Those fields are then loaded into a User Import Set table and transformed, which then creates the new user. Once the user is established in the system, we do not need to utilize those web service fields from the WDSL file or use the transform IMP SSO User map - which makes sense in the scheme of things! We only need to match the HTTP header field within the Digest Token, so there is no need to parse out those other fields.

That being said, I'm not sure if I could potentially modify the MultiSSO_DigestedToken script to pull in just one parsed field value for an existing user - which I assume would need to map back to that transform map? But I also don't know how that would work since there is the coalescence field within the mapping.

Only other thing I am pondering is possibly a different/separate Rest Web service that could import that XML file into the IMP SSO User table when a returning user logs in - but again, not sure how I could trigger that with the SSO. Of course it must be complicated 🙂