InVision creates new accounts via auto-provisioning when a new user attempts to sign into an Enterprise account which has SAML enabled. If the needed name attributes aren't sent correctly, this can result in names for auto-provisioned accounts being populated using the email address without "@" sign and dot instead of user's full name. For example, if a user's name is John Smith, and their email is firstname.lastname@example.org, instead of displaying John Smith as the account name, jsmith invisionapp com would be used.
To avoid the account name displaying incorrectly, it's very important to send the needed attributes.
Below is the hierarchy of logic InVision uses to identify names for SAML auto-provisioned accounts:
- Our implementation searches the response from the Identity Provider for the SAML Attribute Name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname. If set, we use that attribute’s value for the account name. Additionally, if the SAML Attribute Name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnameis set, we append that attribute's value as the account surname.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameisn't set, our implementation looks for the SAML Attribute Name
cn. If set, the attribute value of
cnis used as the account name.
- If neither
cnis set, we use the email address as the name, and scrub out the "@" sign and dot.
Please note the above attribute applies only for the population of names at the time of auto-provisioning of new accounts. Changes to the attributes won’t retroactively update names of existing accounts. For existing accounts, users will need to update their account name by going to View Profile within their InVision account.