How to configure Brazen in your SAML IDP

The following configurations must be done in order to successfully set up Brazen as a service provider in your identity provider.

1) Specify the correct attribute name and format.

Brazen requires all SAML attributes to have the Object Identifier (oid) as the name and uri as the name format.

<saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3"
  NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue>Test Email</saml:AttributeValue>
</saml:Attribute>

Required fields

Friendly Attribute NameOID Attribute NameDefinition
mailurn:oid:0.9.2342.19200300.100.1.3the preferred or primary email address for the user. Brazen will use the first value it finds in a claim.
givenNameurn:oid:2.5.4.42name strings that are the part of a person's name that is not their surname.
surnameurn:oid:2.5.4.4the surname or last name of the user.

Optional fields

Brazen has an OID repository (1.3.6.1.4.1.47993) that defines fields specific to Brazen's system. These are optional fields that do not need to be provided in order to successfully provision a user in Brazen.

To send a value as one of these fields to Brazen, simply make the attribute name the corresponding OID value.

Friendly Attribute NameOID Attribute NameWhen to useDefinition
userIdurn:oid:1.3.6.1.4.1.47993.1.1.2This is needed if the system cannot guarantee that a user's email address will remain the same.the identifier for this user in the external system. Brazen will use the first value it finds in a claim.
ianaTimeZoneurn:oid:1.3.6.1.4.1.47993.1.1.3To set the timezone for the user other than the defaultthe user's preferred time zone such as "America/New_York". Brazen uses IANA Olson time zone names. If one is not provided, the user's time zone is set to "US/Eastern". Users will have the ability to set a timezone within Brazen.

See the example below for a valid AttributeStatement in the SAML response.

<saml:AttributeStatement>
    <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <saml:AttributeValue>Test Email</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:oid:2.5.4.4" 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <saml:AttributeValue>Test Last Name</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:oid:2.5.4.42" 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <saml:AttributeValue>Test First Name</saml:AttributeValue>
    </saml:Attribute>
    
    <!-- Optional fields -->
     <saml:Attribute Name="urn:oid:1.3.6.1.4.1.47993.1.1.2" 
       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
           <saml:AttributeValue>Test External ID</saml:AttributeValue>
     </saml:Attribute>
    <saml:Attribute Name="urn:oid:1.3.6.1.4.1.47993.1.1.3" 
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <saml:AttributeValue>America/New_York</saml:AttributeValue>
    </saml:Attribute>
        
</saml:AttributeStatement>

2) The NameId format must be persistent

Brazen's SSO configuration requires the NameId format to be persistent. This is a requirement of Brazen's system and cannot be changed.

The NameId can be found within the Subject element in the SAML response.

<saml:Subject>
   <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">
         NameId
   </saml:NameID>
</saml:Subject>

Resources on how to specify a persistent NameId