Configuring an External LDAP Attribute Source to Enrich Grants

Overview

OAuth/OIDC definition can be configured to retrieve attributes to encrich the grant. The attribute source can be a fixed value or a LDAP attribute source.

In this topic we provide instruction to configure an external LDAP to enrich grants.

Configuring provider.yml

  • The definition configuration defines an attribute_map configuration.
# Copyright contributors to the IBM Verify Identity Access OIDC Provider Resources project version: 22.12 logging: level: debug definition: id: 1 name: OIDC Definition grant_types: - authorization_code pre_mappingrule_id: isvaop_pretoken # Pre-Token mapping rule ID. post_mappingrule_id: isvaop_posttoken base_url: https://isvaop.ibm.com:445/isvaop token_settings: # Token Settings issuer: https://isvaop.ibm.com # OP's issuer URI. signing_alg: PS256 # Signing algorithm for ID token generated. signing_keystore: isvaop_signing # Signing keystore name. signing_keylabel: jwtsigning # Signing key label. attribute_map: # Attribute mapping to resolve claims. also refer to attributesources.yml surname: surname server: ssl: key: ks:isvaop_keys/httpserverkey certificate: ks:isvaop_keys/httpservercert jwks: signing_keystore: isvaop_signing secrets: obf_key: "ENC:iUt+3MzCntxSL2FPTUuJqER79UaiRSApMz3cbgJm4yzuiv6H7KN8ADsamX6+Qre1oTsATjnb1bJ0Lmi7WWfxWeGT477yqqvgVayFlCDIFzZeNkdINjASfTE3B+/3Sm9YjIYuWtZdySiXeydhJXSiOGU9osdA9g2BZXR4eMrXNutCuaSvFH6MY+TyOH5q15vy6vEWOebJQHrnug0A8rN6NF8G8XaxCe/+yqH57jJpdhm0N7iUydIYOBOQ1wDgCc8nRMWkQqlkcRhDZvLLAIlhoshYvo06ubyryt8/vv/0AvTLq9AIiQoL8CtYLr+SNZlzWe4CnHYZdO9S+AIrUOVORw==" enc_key: "@keys/private.pem"
  • Read more about key management to be able to create a jwtsigning key to sign the id_token, and to create https_keys to configure server node.
  • secrets node defines secret data which can be used to obfuscate or encrypt entries within the YAML configuration documents. Read more about geerating the obf_key and enc_key in the document.

Configuring attributesources.yml

  • Based on the attribute map configuration in the provider.yml, the attributesources.yml is referenced based on the id.

  • Update the attributesources.yml with the following content:

attribute_sources: - id: 1 # Attribute source id. name: surname # Attribute source name. type: ldap # Attribute source type. `value`, `credential`, or `ldap` value: sn # Attribute source value. For attribute source of type `value`, this contains the fixed value. For `credential` type, it refers to a credential attribute. For `ldap` type, it refers to an LDAP attribute to be retrieved. scope: subtree # Only for attribute source of type `ldap`. LDAP search scope. filter: filter: (objectclass=*) # Only applicable for attribute source type `ldap`. LDAP search filter. It might contain macros, refer to Attribute Source documentation selector: cn,mail,mobile,uid,givenName,sn,displayName # Only applicable for attribute source type `ldap`. LDAP selector containing other attributes that are retrieved together. srv_conn: ldap_srvconn # Only applicable for attribute source type, `ldap`. LDAP server connection name. This links to an `ldap` server connection in `storage.yml` baseDN: dc=ibm,dc=com # Only for attribute source of type `ldap`. LDAP base DN. It might contain macros similar to `filter`.

Configuring storage.yml

  • Based on the attribute sources configuration in the attributesources.yml, the storage.yml is referenced based on the srv_conn node.

  • Update the storage.yml with the following content:

... server_connections: # Server connections - name: ldap_srvconn # Connection name type: ldap # Connection type hosts: # List of host information (IP and port) - hostname: openldap # Server's hostname hostport: 636 # Server's host port credential: # Credential information to connect to the host. bind_dn: cn=root,secAuthority=Default # Specifies the binding credential for the LDAP server connection. bind_password: "OBF:U2FsdGVkX1+BPKsUsh0oGSsNNr1HSsAQWwPLB30MyDs=" # Specifies the binding password for the LDAP server connection. It is recommended to obfuscate this. ssl: certificate: # The SSL connection certificate array. - ks:ldap_keys # The SSL keystore to be used for SSL connections. ks: indicates keystore. disable_hostname_verification: false # The SSL connection validates the hostname. conn_settings: # Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts. max_pool_size: 50 # Maximum connection pool size. connect_timeout: 3 # Connect timeout, in seconds. aged_timeout: 5 # Aged timeout, in seconds.
  • Read more about key management here.
  • Read more about bind_password obfuscation here.

Configuring the mapping rule

  • The isvaop_pretoken.js needs to be modified to enrich the grant based on the attribute retrieved from the LDAP.
/** * Copyright contributors to the IBM Verify Identity Access OIDC Provider Resources project */ importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils); importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); IDMappingExtUtils.traceString("Starting Pre Token JS"); /** * Use this mapping rule to enrich the session: * - Resolve the claims requested for id_token (and userinfo) * Populate resolved claims into 'idtokenData' context * - Adding extra claims for token introspection (and JWT access token) * Populate the extra claims into 'tokenData' context * * Attribute Source: * The system will resolve any attribute source mappings prior to this mapping rule execution. * If the mapping should contain a value, it will be available in STSUU attribute container. */ IDMappingExtUtils.traceString("STSUU content: " + stsuu.toString()); var requestType = stsuu.getContextAttributes().getAttributeValueByName("request_type"); var grant_type = stsuu.getContextAttributes().getAttributeValueByName("grant_type"); var surname = stsuu.getAttributeContainer().getAttributeValuesByName("surname"); if (surname != null) { /** Example of enriching id_token */ idtokenData["surname"] = surname; /** * Example of enriching introspection result */ tokenData["surname"] = surname; }

Configuring the static client

# Copyright contributors to the IBM Verify Identity Access OIDC Provider Resources project client_id: client_ldap client_secret: "OBF:U2FsdGVkX19NE2KIGDC4doFwol69xk0roywd9TFjMVFHO6GaNtWhlev29g7XZeuC" client_name: "AuthorizationCode with LDAP attribute mapping" enabled: true redirect_uris: - https://www.google.com - https://www.mysp.ibm.com/isam/sps/oidc/rp/isamrp/redirect/partner grant_types: - authorization_code response_types: - code token_endpoint_auth_method: default

Did this page help you?