[OPENAM-7604] OpenAM needs to be able to extract custom attributes for users not managed by an OpenAM Repository through REST Created: 27/Nov/15  Updated: 20/Nov/16  Resolved: 01/Feb/16

Status: Resolved
Project: OpenAM
Component/s: rest
Affects Version/s: 12.0.0, 12.0.1, 12.0.2
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Abel Hoxeng Assignee: Peter Major [X] (Inactive)
Resolution: Duplicate Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
duplicates OPENAM-1650 Implement REST services for manipulat... Resolved
Support Ticket IDs:


Currently if the user session/token is enriched with attributes/properties through post authentication plugin (http://openam.forgerock.org/apidocs/com/sun/identity/authentication/spi/AMPostAuthProcessInterface.html) and the user account is not managed by OpenAM repository, OpenAM REST and SOAP APIs are not able to retrieve these custom attributes from the SSO token. The current workaround is to use the Client SDK, but it will retrieve all the attributes from the SSO token, even if only one attribute is needed. It would help if OpenAM was able to extract one or more of these custom attributes through the REST API:

  • the calls to the endpoint /json/subjectattributes?_queryFilter=true or other endpoint should list the custom attributes;
  • the calls to the endpoint /json/subjectattributes?attributes=foo1,foo2 or other endpoint should return the attributes’ values;

Example: Authentication chain which consists of LDAP module and post authentication plugin (http://openam.forgerock.org/apidocs/com/sun/identity/authentication/spi/AMPostAuthProcessInterface.html). The LDAP module authenticates the user against particular external repository. The post-authentication plugin retrieves user roles and additional attributes from another repository and sets them as SSO token properties (see SSOToken.setProperty() (http://openam.forgerock.org/apidocs/com/iplanet/sso/SSOToken.html#setProperty%28java.lang.String,%20java.lang.String%29)). There are multiple applications (service providers) which read the properties from the token and use them in application-specific way; the most common use case is to take property “Role ABC” and to build up permission set which applies only to that application.

Comment by Peter Major [X] (Inactive) [ 01/Feb/16 ]

The subjectattributes endpoint is used by the policy framework/policy editor to determine which attributes can be returned as part of a policy decision as "resourceAttributes", as such it is not appropriate for the proposed purposes.

Comment by Peter Major [X] (Inactive) [ 01/Feb/16 ]

I think this is essentially a duplicate of OPENAM-1650, which is already implemented in 13.0.0.

Generated at Tue Nov 24 01:24:49 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.