Configuring an External LDAP Attribute Source to Enrich Grants
Overview
OAuth/OIDC definition can be configured to retrieve attributes to encrich the grant. The attribute source can be a fixed value or a LDAP attribute source.
In this topic we provide instruction to configure an external LDAP to enrich grants.
Configuring provider.yml
- The definition configuration defines an
attribute_mapconfiguration.
# Copyright contributors to the IBM Verify Identity Access OIDC Provider Resources project
version: 22.12
logging:
level: debug
definition:
id: 1
name: OIDC Definition
grant_types:
- authorization_code
pre_mappingrule_id: isvaop_pretoken # Pre-Token mapping rule ID.
post_mappingrule_id: isvaop_posttoken
base_url: https://isvaop.ibm.com:445/isvaop
token_settings: # Token Settings
issuer: https://isvaop.ibm.com # OP's issuer URI.
signing_alg: PS256 # Signing algorithm for ID token generated.
signing_keystore: isvaop_signing # Signing keystore name.
signing_keylabel: jwtsigning # Signing key label.
attribute_map: # Attribute mapping to resolve claims. also refer to attributesources.yml
surname: surname
server:
ssl:
key: ks:isvaop_keys/httpserverkey
certificate: ks:isvaop_keys/httpservercert
jwks:
signing_keystore: isvaop_signing
secrets:
obf_key: "ENC:iUt+3MzCntxSL2FPTUuJqER79UaiRSApMz3cbgJm4yzuiv6H7KN8ADsamX6+Qre1oTsATjnb1bJ0Lmi7WWfxWeGT477yqqvgVayFlCDIFzZeNkdINjASfTE3B+/3Sm9YjIYuWtZdySiXeydhJXSiOGU9osdA9g2BZXR4eMrXNutCuaSvFH6MY+TyOH5q15vy6vEWOebJQHrnug0A8rN6NF8G8XaxCe/+yqH57jJpdhm0N7iUydIYOBOQ1wDgCc8nRMWkQqlkcRhDZvLLAIlhoshYvo06ubyryt8/vv/0AvTLq9AIiQoL8CtYLr+SNZlzWe4CnHYZdO9S+AIrUOVORw=="
enc_key: "@keys/private.pem"
- Read more about key management to be able to create a
jwtsigningkey to sign the id_token, and to createhttps_keysto configureservernode. secretsnode defines secret data which can be used to obfuscate or encrypt entries within the YAML configuration documents. Read more about geerating the obf_key and enc_key in the document.
Configuring attributesources.yml
-
Based on the attribute map configuration in the provider.yml, the attributesources.yml is referenced based on the id.
-
Update the
attributesources.ymlwith the following content:
attribute_sources:
- id: 1 # Attribute source id.
name: surname # Attribute source name.
type: ldap # Attribute source type. `value`, `credential`, or `ldap`
value: sn # Attribute source value. For attribute source of type `value`, this contains the fixed value. For `credential` type, it refers to a credential attribute. For `ldap` type, it refers to an LDAP attribute to be retrieved.
scope: subtree # Only for attribute source of type `ldap`. LDAP search scope.
filter: filter: (objectclass=*) # Only applicable for attribute source type `ldap`. LDAP search filter. It might contain macros, refer to Attribute Source documentation
selector: cn,mail,mobile,uid,givenName,sn,displayName # Only applicable for attribute source type `ldap`. LDAP selector containing other attributes that are retrieved together.
srv_conn: ldap_srvconn # Only applicable for attribute source type, `ldap`. LDAP server connection name. This links to an `ldap` server connection in `storage.yml`
baseDN: dc=ibm,dc=com # Only for attribute source of type `ldap`. LDAP base DN. It might contain macros similar to `filter`.
Configuring storage.yml
-
Based on the attribute sources configuration in the attributesources.yml, the storage.yml is referenced based on the
srv_connnode. -
Update the
storage.ymlwith the following content:
...
server_connections: # Server connections
- name: ldap_srvconn # Connection name
type: ldap # Connection type
hosts: # List of host information (IP and port)
- hostname: openldap # Server's hostname
hostport: 636 # Server's host port
credential: # Credential information to connect to the host.
bind_dn: cn=root,secAuthority=Default # Specifies the binding credential for the LDAP server connection.
bind_password: "OBF:U2FsdGVkX1+BPKsUsh0oGSsNNr1HSsAQWwPLB30MyDs="
# Specifies the binding password for the LDAP server connection. It is recommended to obfuscate this.
ssl:
certificate: # The SSL connection certificate array.
- ks:ldap_keys # The SSL keystore to be used for SSL connections. ks: indicates keystore.
disable_hostname_verification: false # The SSL connection validates the hostname.
conn_settings: # Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts.
max_pool_size: 50 # Maximum connection pool size.
connect_timeout: 3 # Connect timeout, in seconds.
aged_timeout: 5 # Aged timeout, in seconds.
Configuring the mapping rule
- The isvaop_pretoken.js needs to be modified to enrich the grant based on the attribute retrieved from the LDAP.
/**
* Copyright contributors to the IBM Verify Identity Access OIDC Provider Resources project
*/
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
IDMappingExtUtils.traceString("Starting Pre Token JS");
/**
* Use this mapping rule to enrich the session:
* - Resolve the claims requested for id_token (and userinfo)
* Populate resolved claims into 'idtokenData' context
* - Adding extra claims for token introspection (and JWT access token)
* Populate the extra claims into 'tokenData' context
*
* Attribute Source:
* The system will resolve any attribute source mappings prior to this mapping rule execution.
* If the mapping should contain a value, it will be available in STSUU attribute container.
*/
IDMappingExtUtils.traceString("STSUU content: " + stsuu.toString());
var requestType = stsuu.getContextAttributes().getAttributeValueByName("request_type");
var grant_type = stsuu.getContextAttributes().getAttributeValueByName("grant_type");
var surname = stsuu.getAttributeContainer().getAttributeValuesByName("surname");
if (surname != null) {
/**
Example of enriching id_token
*/
idtokenData["surname"] = surname;
/**
* Example of enriching introspection result
*/
tokenData["surname"] = surname;
}
Configuring the static client
# Copyright contributors to the IBM Verify Identity Access OIDC Provider Resources project
client_id: client_ldap
client_secret: "OBF:U2FsdGVkX19NE2KIGDC4doFwol69xk0roywd9TFjMVFHO6GaNtWhlev29g7XZeuC"
client_name: "AuthorizationCode with LDAP attribute mapping"
enabled: true
redirect_uris:
- https://www.google.com
- https://www.mysp.ibm.com/isam/sps/oidc/rp/isamrp/redirect/partner
grant_types:
- authorization_code
response_types:
- code
token_endpoint_auth_method: default
Updated 5 months ago