Question: is there a SAML property for "nickname" or "preferred username"

[ThisIsMissEm]

In Mastodon, we support OIDC, CAS, and SAML for SSO; Both CAS and OIDC support a nickname property on user_info, but we don't have anything for SAML for this property.

I've tried researching this but do not know the SAML ecosystem well enough to find what I'm looking for, my understanding is that in our configuration, we'd need to add something like:

saml_options[:attribute_statements][:nickname] = [ENV['SAML_ATTRIBUTES_STATEMENTS_NICKNAME']] if ENV['SAML_ATTRIBUTES_STATEMENTS_NICKNAME']

As to get the nickname property in the user_info hash. I just don't know what that value would be for the ENV['SAML_ATTRIBUTES_STATEMENTS_NICKNAME']

This is related to this issue on Mastodon: mastodon/mastodon#21296

[leesmith]

Not sure if you've solved this yet but as far as SAML goes, you can pretty much map the claims attributes to any field that the identity provider (IDP) has. For instance, usually with SAML, the basic claims attributes are email, first name, and last name. But you could also request that the IDP give you a nickname value.

Request attributes (claims) could look like this:

request_attributes: [
  { name: 'email', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Email address', is_required: 'true' },
  { name: 'first_name', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'First name', is_required: 'true' }, 
  { name: 'last_name', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Last name', is_required: 'true' },
  { name: 'nickname', name_format: 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', friendly_name: 'Nickname', is_required: 'false' },
]

After the SAML assertion comes back to your app, you can access those fields like this:

nickname = @auth_hash.extra.raw_info['nickname']

[ThisIsMissEm]

Okay, cool! Thanks for the help! I don't know SAML in the slightest (nor have a system wherein I can test this)

I'll keep this in mind for next time I work on that part of the Mastodon code.