InVision creates new accounts via auto-provisioning when a new user attempts to sign into an Enterprise account which has SAML enabled. If the needed name attributes aren't sent correctly, this can result in names for auto-provisioned accounts being populated using the email address without "@" sign and dot instead of user's full name. For example, if a user's name is John Smith, and their email is firstname.lastname@example.org, instead of displaying John Smith as the account name, jsmith invisionapp com would be used.
To avoid the account name displaying incorrectly, it's very important to send the needed attributes.
Below is the hierarchy of logic InVision uses to identify names for SAML auto-provisioned accounts:
- Our implementation searches the response from the Identity Provider for the SAML Attribute Name “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname". If set, we use that attribute’s value for the account name. Additionally, if the SAML Attribute Name "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" is set, we append that attribute's value as the account surname.
- If “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname” isn't set, our implementation looks for the SAML Attribute Name "cn". If set, the attribute value of "cn" is used as the account name.
- If neither “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname” nor "cn" is set, we use the email address as the name, and scrub out the "@" sign and dot.
Please note the above attribute applies only for the population of names at the time of auto-provisioning of new accounts. Changes to the attributes won’t retroactively update names of existing accounts. For existing accounts, users will need to update their account name by going to View Profile within their InVision account.