I've implemented Single Sign On with Salesforce as Identity Provider scenario using SAML. I want to pass additional attributes via SAML response to the Service Provider. Out of the box the Connected App allows adding custom attributes based on User/Profile/System objects:
I want to add attributes from other objects.
Is it even possible? Should I implement some interface to have specific fields visible?
Best Answer
Looks like you pretty much have covered all the steps an admin can perform to configure salesforce as an Identity provider. He can update the custom attributes to be sent back as part of assertion, but is limited to available dropdown options provided by Salesforce (Mentioned in your question).
However, there is a possible way to extend the custom attribute response using code. Salesforce allows developers to extend the connected app using
Custom Connected App Handler
. This class needs to extend ConnectedAppPlugin Class to extend the Connect app behavior, as mentioned below:Create a class following the below sample code, to populate a map of custom attributes from your business data.
You can find more details here about the same https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_class_Auth_ConnectedAppPlugin.htm#apex_class_Auth_ConnectedAppPlugin
Update
Out of curiosity, I tried to implement it by myself (Between two SF orgs) and was able to pass additional SAML attributes as part of response.
This is what I did -
Note: There is a catch here. For some reason this class with version >37 is not working. So update its version to 36.
Update 2
Morover if you want to use higher API version you have to override
customAttributes
method like this:With additional
connectedAppId
andcontext
attributes.