DefaultSecurityDomain is the name of the default security domain. This is optional.
InterSystems uses information from the SAML attributes along with the optional DomainPrefix to locate the appropriate security domain where the SAML users are defined. It searches in the following order for a domain identified by the value of DomainPrefix concatenated with the:
-
OID registry code for the organization-id from the SAML Assertion
-
organization name directly from the SAML assertion
-
OID registry code for the homeCommunityId of the sender from the SAML Assertion
The provided value for DomainPrefix is “%HS ” for the internal security domains.
If InterSystems locates an appropriately named security domain, it searches for the users there. Otherwise it uses the value in DefaultSecurityDomain, without the domain prefix, to locate users.
For example, if all SAML users are identified in your system in security domains that begin with “SAML_”, enter SAML_ in the DomainPrefix field. For a SAML Assertion with the following attributes:
-
an organization attribute of “XYZ”
-
an organization-id of “1.2.3” which resolves to “XYZ-Organization” in the OID registry
-
a homeCommunityID of “4.5.6” which resolves to “RHIO-A” in the OID registry
InterSystems would look in the following order for domains named:
-
“SAML_XYZ-Organization”
-
“SAML_XYZ”
-
“SAML_RHIO-A”
If none of those domains are found, InterSystems looks in the default domain.
You can change this behavior by overriding the GetDomain() method in your processor class. In the provided example, HS.IHE.XUA.SHINNY.Processor.cls, the following scheme is used:
-
DomainPrefix_UserOrganizationOID
-
DomainPrefix_UserOrganizationName
-
DomainPrefix_UserRHIO (which is an OID)