From c97443d6c770d75a236d85eb059a6af738278d7d Mon Sep 17 00:00:00 2001
From: Aaron Marshall <sevensixseven@gmail.com>
Date: Wed, 31 Mar 2021 14:43:07 -0500
Subject: [PATCH] SSO Attributes & Claims (#519)

* SSO Attributes & Claims

* Update configure-sso-oidc.md

* Update configure-sso-saml.md

* Update _articles/login-with-sso/configure-sso-oidc.md

Co-authored-by: fred_the_tech_writer <69817454+fschillingeriv@users.noreply.github.com>

* Update _articles/login-with-sso/configure-sso-oidc.md

Co-authored-by: fred_the_tech_writer <69817454+fschillingeriv@users.noreply.github.com>

* Update _articles/login-with-sso/configure-sso-saml.md

Co-authored-by: fred_the_tech_writer <69817454+fschillingeriv@users.noreply.github.com>

* Update _articles/login-with-sso/configure-sso-saml.md

Co-authored-by: fred_the_tech_writer <69817454+fschillingeriv@users.noreply.github.com>

Co-authored-by: fred_the_tech_writer <69817454+fschillingeriv@users.noreply.github.com>
---
 _articles/login-with-sso/configure-sso-oidc.md | 16 ++++++++++++++++
 _articles/login-with-sso/configure-sso-saml.md | 16 ++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/_articles/login-with-sso/configure-sso-oidc.md b/_articles/login-with-sso/configure-sso-oidc.md
index f4cc1a9b..fec57008 100644
--- a/_articles/login-with-sso/configure-sso-oidc.md
+++ b/_articles/login-with-sso/configure-sso-oidc.md
@@ -88,3 +88,19 @@ Method used by the IdP to respond to Bitwarden authentication requests. Options
 
 #### Get Claims From User Info Endpoint
 Check this checkbox if you receive `URI Too Long (HTTP 414)` errors, truncated URLs, or failures during SSO.
+
+## OIDC Attributes & Claims
+
+An **email address is required for account provisioning**, which can be passed as any of the attributes or claims in the below table. 
+
+A unique user identifier is also highly recommended. If absent, Email will be used in its place to link the user.
+
+Attributes/Claims are listed in order of preference for matching, including Fallbacks where applicable:
+
+|Value|Claim/Attribute|Fallback Claim/Attribute|
+|-----|---------------|------------------------|
+|Unique ID|Configured Custom User ID Claims<br>NameID (when not Transient)<br>urn:oid:0.9.2342.19200300.100.1.1<br>Sub<br>UID<br>UPN<br>EPPN|
+|Email|Configured Custom Email Claims<br>Email<br>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress<br>urn:oid:0.9.2342.19200300.100.1.3<br>Mail<br>EmailAddress|Preferred_Username<br>Urn:oid:0.9.2342.19200300.100.1.1<br>UID|
+|Name|Configured Custom Name Claims<br>Name<br>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name<br>urn:oid:2.16.840.1.113730.3.1.241<br>urn:oid:2.5.4.3<br>DisplayName<br>CN|First Name + “ “ + Last Name (see below)|
+|First Name|urn:oid:2.5.4.42<br>GivenName<br>FirstName<br>FN<br>FName<br>Nickname|
+|Last Name|urn:oid:2.5.4.4<br>SN<br>Surname<br>LastName|
diff --git a/_articles/login-with-sso/configure-sso-saml.md b/_articles/login-with-sso/configure-sso-saml.md
index a47a9901..3556b1cf 100644
--- a/_articles/login-with-sso/configure-sso-saml.md
+++ b/_articles/login-with-sso/configure-sso-saml.md
@@ -207,3 +207,19 @@ Use the following tables to identify how certain fields in Bitwarden correspond
 |**Entity ID**|Azure AD Identifier|Google IDP Entity ID|IdP Entity ID|IdP Issuer URI|Issuer URL|
 |**SSO Service URL**|Login URL|Google IDP SSO URL|IDP URL|Single Sign On URL|SAML 2.0 Endpoint (HTTP)|
 |**SLO Service URL**|Logout URL|GSuite does not support SLO|SLO Service URL|Single Logout URL|SLO Endpoint (HTTP)|
+
+## SAML Attributes & Claims
+
+An **email address is required for account provisioning**, which can be passed as any of the attributes or claims in the below table. 
+	
+A unique user identifier is also highly recommended. If absent, Email will be used in its place to link the user.
+
+Attributes/Claims are listed in order of preference for matching, including Fallbacks where applicable:
+
+|Value|Claim/Attribute|Fallback Claim/Attribute|
+|-----|---------------|------------------------|
+|Unique ID|NameID (when not Transient)<br>urn:oid:0.9.2342.19200300.100.1.1<br>Sub<br>UID<br>UPN<br>EPPN|
+|Email|Email<br>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress<br>urn:oid:0.9.2342.19200300.100.1.3<br>Mail<br>EmailAddress|Preferred_Username<br>Urn:oid:0.9.2342.19200300.100.1.1<br>UID|
+|Name|Name<br>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name<br>urn:oid:2.16.840.1.113730.3.1.241<br>urn:oid:2.5.4.3<br>DisplayName<br>CN|First Name + “ “ + Last Name (see below)|
+|First Name|urn:oid:2.5.4.42<br>GivenName<br>FirstName<br>FN<br>FName<br>Nickname|
+|Last Name|urn:oid:2.5.4.4<br>SN<br>Surname<br>LastName|