Currently if the user session/token is enriched with attributes/properties through post authentication plugin (http://openam.forgerock.org/apidocs/com/sun/identity/authentication/spi/AMPostAuthProcessInterface.html) and the user account is not managed by OpenAM repository, OpenAM REST and SOAP APIs are not able to retrieve these custom attributes from the SSO token. The current workaround is to use the Client SDK, but it will retrieve all the attributes from the SSO token, even if only one attribute is needed. It would help if OpenAM was able to extract one or more of these custom attributes through the REST API:
- the calls to the endpoint /json/subjectattributes?_queryFilter=true or other endpoint should list the custom attributes;
- the calls to the endpoint /json/subjectattributes?attributes=foo1,foo2 or other endpoint should return the attributes’ values;
Example: Authentication chain which consists of LDAP module and post authentication plugin (http://openam.forgerock.org/apidocs/com/sun/identity/authentication/spi/AMPostAuthProcessInterface.html). The LDAP module authenticates the user against particular external repository. The post-authentication plugin retrieves user roles and additional attributes from another repository and sets them as SSO token properties (see SSOToken.setProperty() (http://openam.forgerock.org/apidocs/com/iplanet/sso/SSOToken.html#setProperty%28java.lang.String,%20java.lang.String%29)). There are multiple applications (service providers) which read the properties from the token and use them in application-specific way; the most common use case is to take property “Role ABC” and to build up permission set which applies only to that application.