Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7604

OpenAM needs to be able to extract custom attributes for users not managed by an OpenAM Repository through REST

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 12.0.0, 12.0.1, 12.0.2
    • Fix Version/s: None
    • Component/s: rest
    • Labels:
      None
    • Support Ticket IDs:

      Description

      Currently if the user session/token is enriched with attributes/properties through post authentication plugin (http://openam.forgerock.org/apidocs/com/sun/identity/authentication/spi/AMPostAuthProcessInterface.html) and the user account is not managed by OpenAM repository, OpenAM REST and SOAP APIs are not able to retrieve these custom attributes from the SSO token. The current workaround is to use the Client SDK, but it will retrieve all the attributes from the SSO token, even if only one attribute is needed. It would help if OpenAM was able to extract one or more of these custom attributes through the REST API:

      • the calls to the endpoint /json/subjectattributes?_queryFilter=true or other endpoint should list the custom attributes;
      • the calls to the endpoint /json/subjectattributes?attributes=foo1,foo2 or other endpoint should return the attributes’ values;

      Example: Authentication chain which consists of LDAP module and post authentication plugin (http://openam.forgerock.org/apidocs/com/sun/identity/authentication/spi/AMPostAuthProcessInterface.html). The LDAP module authenticates the user against particular external repository. The post-authentication plugin retrieves user roles and additional attributes from another repository and sets them as SSO token properties (see SSOToken.setProperty() (http://openam.forgerock.org/apidocs/com/iplanet/sso/SSOToken.html#setProperty%28java.lang.String,%20java.lang.String%29)). There are multiple applications (service providers) which read the properties from the token and use them in application-specific way; the most common use case is to take property “Role ABC” and to build up permission set which applies only to that application.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major [X] (Inactive)
                Reporter:
                abel.hoxeng Abel Hoxeng
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: