Hi Jannes,

Your question is a little unclear, so please elaborate if I misunderstood.

The SAML module allowes to add microflow logic before or after logging in. These are the CustomUserProvisioning and CustomAfterSigninLogic. You can select this at the Provisioning tab of your IdP-configuration. This way you can use the normal microflow debugger and breakpoints, which probably makes solving your problems easier and more intuitive. 

The CustomUserProvisioning has a list of AssertionAttributes which contain all information given from the external Authentication Mechanism. You can probably derive from there which entity you should use and map accordingly. Hope this helps.

Sorry for the late response.

So, as an anonymous user i get to see the custom login page. On this page the anonymous user can choose to login as and internal employee or external employee. When clicking the “intern employee” there are 2 related project roles. “Worker” and “planner”. I created a module for UserManagement where I created an entity “Worker” and “Planner” (both are generalizations of “Administration.Account”). Each entity (“Worker” and “Planner”) has it’s own specific attributes and associations.

The problem is, when I configure the SAML module, I have to set the entity on which I want to map the assertion attributes. But I cannot know this entity since I don’t know which role I’ll be getting back from the identity provider.

In other words:
- When I login as an Internal Employee, and I get the user role Worker back from the IdP, the assertion attributes should be mapped on the entity “Worker”. 
- When I login as an Internal Employee, and I get the user role Planner back from the IdP, the assertion attributes should be mapped on the entity “Planner”.