Some identity providers, for example, AD FS or Okta, allow you to customize how claims are mapped to the outgoing authentication token. This is useful particularly for scenarios where the user's UPN is different to their email address in the identity provider. It is a requirement in Xakia that the user's UPN (that is, what they use to log in to Xakia), is the same as their email address where they typically receive email messages.
To help verify that your claims mapping configuration is correct, the Xakia login flow can display a diagnostic page that shows what claim types are being used and what the resolved values are.
This diagnostic page can be accessed as follows:
- Open a new incognito or private browsing window
- Navigate to app.xakiatech.com - you will be redirected to the login page that prompts you for your email address
- Before entering your email address, go to the URL bar and append &diagnosticMode=true to the end of the URL, and hit enter to load the login page again in diagnostic mode
- Now enter your email address and log in as normal
After authenticating at your identity provider, you will be shown a page titled "External Identity Diagnostics".
Note: You will not be able to proceed any further with the login and you will not be able to sign in to Xakia. This diagnostic page is the end of the login flow in diagnostic mode. To log in to Xakia, you will need to navigate to app.xakiatech.com and log in again as normal, without setting the diagnosticMode flag.
The diagnostic page will show the following information:
- Which claim type is being used for the User ID, and the value that was resolved from this claim. The User ID must uniquely identify the user in the identity provider. Xakia stores this User ID against the user record in Xakia, and uses it to locate the user in Xakia when an external login occurs
- Which claim type is being used for the user's Email Address, and the value that was resolved from this claim. The Email Address is what users use to log in to Xakia, and must be a valid email address. If the user's UPNs are different to their email address in your identity provider, we recommend mapping the email address to the UPN claim in your identity providers claims mappings for Xakia
- Which claim types are being used for the Tenant ID, First Name and Last Name, and the values that were resolved for those claims
- Whether or not the user was found in Xakia. The user is located using the User ID field, and if the User ID field did not match any users in Xakia, the user is located using the Email Address