SAML attributes & claims - if elseif else scenario

yeooandyni 86 Reputation points
2024-06-12T14:09:57.39+00:00

Hey folks,

We're testing moving user provisioning from Azure to DocuSign, and are having problems targeting the correct DocuSign account to provision the users into.

According to DocuSign, we need to have the accountid and permissionprofileid attributes being passed. We've done this, but the permissionprofileid is causing hassle.

We would like to have one of two integer values passed to DocuSign - one for Admin and the other for Sender/Standard user. However, we can't for the life of me figure out how to set the claim to be one or the other. We've tried transforming the value, but that just keeps it static. We've also tried conditions, based on group membership, and transforming the value, but this hasn't worked as required.

We were able to find this - https://learn.microsoft.com/en-us/answers/questions/1192693/docusign-(-)-azure-sso. However, we can already do this with simple transformations, it's the one claim to return either of the two values we need.

I know I'm almost there, but just can't seem to get past this final hurdle.

Thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,555 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Marcel Nguyen 0 Reputation points
    2024-07-11T14:44:04.09+00:00

    Hi @yeooandyni ,

    i hope i got this right: You are trying to pass the accountId OR permissionprofileId based on a group membership?

    If that's the case this could be solved with app roles in the app registration manifest I think. You can create app roles and add the value of the accountId or permissionprofileID (assuming you only need one ID at a time) to it. In the SCIM mapping you can then create a new mapping with type "Expression" that has following expression: SingleAppRoleAssignment([appRoleAssignments])

    As target attribute you can then select the permissionprofileId or userId

    This will create the account in DocuSign with either the accountId or permissionprofileID.

    Hope I understood your problem right and let me know if this has helped.

    • Marcel