SAML IdP logon page to pass email address to SP
I created a logon page which uses username and password to authenticate the user with AD but the SP is requesting the users email address in the SAML assertion. If I set the IdP service Assertion Subject Value to %{session.logon.last.logonname} I can see that attribute when running the FireFox SAML Tracer. If I change the Subject vlaue to %{session.ad.last.attr.mail} I do not see the email address in the SAML Assertion. Do I need to add an AD Query or Variable Assignment in the VPE to get the email address and how do i get that into the assertion? An additional question if anyone cares to chime in, what do I set as the Assertion Subject Type? When would you select Entity Identifier, Transient Identifier, or Email Address? I tried all of the fore mentioned but it didn't get me the correct results.