Just-in-Time SAML Assertion Fields for Portals

Creating Portal Users

The Portal ID and Organization ID must be specified as part of the SAML assertion. You can find these parameters on the company information page for the Salesforce org or portal. Because you can also provision regular users, the Portal ID is used to distinguish between a regular and portal JIT provisioning request. If no Portal ID is specified, then the request is treated as a JIT request for regular platform user.

Creating and Modifying Accounts

Create or modify an account by specifying a valid Account ID or both the Account.AccountNumber and Account.Name. The account is created or modified according to these conditions.

• Matching is based on Account.AccountNumber. If multiple accounts are found, an error is displayed. Otherwise, the account is updated.
• If no matching account is found, one is created.
• You must specify the Account.Owner in the SAML assertion and ensure that the field level security for the Account.AccountNumber field is set to visible for this owner’s profile.

Creating and Modifying Contacts

Create or modify a contact by specifying a valid contact ID in User.Contact or both the Contact.Email and Contact.LastName. Contacts are created or modified according to these conditions.

• Matching is based on Contact.Email. If multiple contacts are found, an error is displayed. Otherwise, the contact is updated.
• If no matching contact is found, one is created.

Supported Fields for the Portal SAML Assertion

To correctly identify which object to create in Salesforce, you must use a prefix. In the SAML assertion, use the Account prefix for all fields in the Account schema, for example, Account.AccountId. And use the Contact prefix for all fields in the Contact schema. In this example, the Contact prefix was added to the Email field name.

<saml:Attribute 
   Name="Contact.Email" 
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml:AttributeValue xsi:type="xs:anyType">testuser@123.org</saml:AttributeValue>
</saml:Attribute>

Supported Account Fields

In addition to the standard User attributes supported for regular SAML JIT users, these Account attributes are also supported. For example, specifying an Account.Phone attribute in the assertion updates the account’s Phone field on the corresponding Account object.

• Name
• AccountNumber
• BillingCity
• BillingCountry
• BillingPostalCode
• BillingState
• BillingStreet
• Owner (The Owner field on the Account object is Account.OwnerId in the API.)
• AnnualRevenue
• Description
• NumberOfEmployees
• Fax
• Industry
• Ownership
• Phone
• Rating
• ShippingAddress (The Shipping Address field is a compound field.)
• ShippingCity
• ShippingCountry
• ShippingPostalCode
• ShippingState
• ShippingStreet
• Sic
• TickerSymbol
• Website

Supported Contact Fields

These Contact fields are supported.

• Account (This value is the Account Name field on the Contact object and Account.Name in the API.)
• Email
• FirstName
• LastName
• Phone
• CanAllowPortalSelfReg
• AssistantName
• AssistantPhone
• Birthdate
• Owner (This value is the Contact Owner field on the Contact object and Contact.OwnerId in the API.)
• Department
• Description
• DoNotCall
• HasOptedOutOfEmail
• Fax
• HasOptedOutOfFax
• HomePhone
• LastCUUpdatetDate (This value is the Last Modified By field on the Contact object and Contact.LastModifiedDate in the API.)
• LeadSource
• MailingAddress (The Mailing Address field is a compound field.)
• MailingCity
• MailingCountry
• MailingPostalCode
• MailingState
• MailingStreet
• MobilePhone
• Salutation
• OtherAddress (The OtherAddress field is a compound field.)
• OtherCity
• OtherCountry
• OtherPostalCode
• OtherState
• OtherStreet
• OtherPhone
• Title

Supported User Fields

These User fields are supported for portal users.

• AccountId
• ContactId
• PortalRole (Use Worker for all portal users.)