Skip to content
inboard

Attribute Mapping

When users authenticate via OIDC or SAML, Concourse extracts user information from the identity provider’s response to create or update user profiles.

Mapped attributes

Section titled “Mapped attributes”
User fieldOIDC claimSAML attributes (tried in order)
Emailemailemail, mail, emailaddress, NameID
NamenamedisplayName, givenName, name

OIDC claim extraction

Section titled “OIDC claim extraction”

Concourse reads the email and name claims from the ID token returned by the identity provider. These are standard OpenID Connect claims and are supported by all major providers.

If the email claim is missing, authentication fails. If the name claim is missing, the email local part is used as the display name.

SAML attribute extraction

Section titled “SAML attribute extraction”

For SAML assertions, Concourse checks multiple attribute names to accommodate different IdP configurations:

Email is resolved by checking these attributes in order:

  1. email
  2. mail
  3. emailaddress
  4. NameID (fallback)

Name is resolved by checking these attributes in order:

  1. displayName
  2. givenName
  3. name

Configure your IdP to send at least one of these attributes in the SAML assertion.

Auto-provisioning behavior

Section titled “Auto-provisioning behavior”

When a user authenticates via SSO for the first time:

  1. Concourse checks if a user with the extracted email already exists.
  2. If the user exists, Concourse issues a JWT for that user.
  3. If the user does not exist, Concourse creates a new user with:
    • The extracted email address
    • The extracted display name
    • The member role

Admins can change a user’s role after provisioning through the admin panel or the API.

IdP configuration tips

Section titled “IdP configuration tips”

To ensure consistent attribute mapping, configure your IdP to release the following attributes:

IdPEmail attributeName attribute
Oktaemail (default)displayName or name
Azure ADhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddresshttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
OneLoginemailname
Googleemail (OIDC claim, default)name (OIDC claim, default)

For Azure AD SAML, map the short attribute names (email, displayName) in the attribute statements to simplify the mapping.