Supported claims
PassBeyond maps common provider-specific SAML attribute names to stable internal keys. For each single-valued key, aliases are tried in the listed order and the first non-empty value wins.
Each normalized value becomes an X-Passbeyond-Data-* backend header. The email and sAMAccountName keys also participate in subject selection.
Distinguished name
Normalized key: distinguishedName
DNhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/distinguishednamehttp://schemas.xmlsoap.org/claims/DistinguishedName
User principal name
Normalized key: UPN
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upnhttp://schemas.xmlsoap.org/claims/UPN
Common name
Normalized key: CommonName
http://schemas.xmlsoap.org/claims/CommonNamehttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Account name
Normalized keys: sAMAccountName and compatibility key username
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountnamehttp://schemas.xmlsoap.org/claims/WindowsAccountNamehttp://schemas.goauthentik.io/2021/02/saml/username
Email
Normalized key: email
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddresshttp://schemas.xmlsoap.org/claims/EmailAddressmailemail
Given name
Normalized key: givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennamehttp://schemas.xmlsoap.org/claims/GivenNamegivenNamefirstName
Surname
Normalized key: surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surnamehttp://schemas.xmlsoap.org/claims/SurnamesnsurNamelastName
Company
Normalized key: company
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/companyhttp://schemas.xmlsoap.org/claims/Companycompany
Department
Normalized key: department
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/departmenthttp://schemas.xmlsoap.org/claims/Departmentdepartment
Telephone number
Normalized key: telephoneNumber
telephoneNumbertelephonephonemobile
Groups
Normalized key: groups
http://schemas.xmlsoap.org/claims/Grouphttp://schemas.microsoft.com/ws/2008/06/identity/claims/groupsmemberOfGroupsgroups
Groups remain multi-valued in the session and are sent to the backend as a comma-separated header value. When a provider supplies one delimited string instead, commas, semicolons, and vertical bars are recognized as separators.
Missing an attribute?
Open an issue or merge request in the PassBeyond repository with sanitized example attribute names, the Identity Provider, and the intended normalized field. Never include a real SAML assertion, session cookie, access token, or personal attribute value.