Identity Provider attributes for OpenID Connect
Use the Identity Provider attributes that are received from the OpenID Connect (OIDC) from the Identity Provider (IdP) as a filter criteria for authentication.
You can manually create the IdP attributes based on the claims received as part of the ID token.
- Identity Provider filter is available with Zero Trust Access feature. For more information, see Zero Trust Access (ZTA).
- IdP attribute filter criteria can be used in Post-authentication context, Zero Trust Access (ZTA) session relegation, and Multi-factor Authentication context.
Start the configuration by adding the IdP attributes by selecting New from the Identity Provider Attributes section and use those attributes for Adaptive Authentication by setting it to true.
The RiskFactor defined in the OIDC configuration in the Identity Provider Attributes is from the ID token claims. This value can be an existing claim or custom claim as configured in the IdP side. Use this claim in various authentication context to customize and control the log in behavior of the user.
The Identity Provider Attributes are displayed with the following details:
| Field | Description |
|---|---|
| Name | Attribute name that is provided by the Identity Provider. |
| Display Name | Display Name is the detailed name that is used for the filter criteria. Note: You can provide a readable name as a Display Name, in some cases the Display Name provided by the Identity Providers are lengthy and not
readable. |
| Default Value | Default value is used for filter criteria evaluation in case the attribute is missing in the SAML response. |
| Use in Adaptive Authentication | Option to use the Attribute in the Adaptive Authentication. |
You can also add new attributes by selecting New in the Identity Providers Attributes section.
If the Use in Adaptive Authentication is set to true, then the selected attribute is added as filter criteria in the Generic Filter Criteria. For example, risk_score set to true. The Generic Filter Criteria page has a new filter created.