Attribute Source

Attribute source configuration

An attribute source acts as an external datasource where additional information can be retrieved. An attribute mapping entry links a source attribute from a datasource with a target user attribute.

In IBM Security Verify Access OIDC Provider(ISVAOP), attribute mapping is used to enrich grants and resolve requested claims. The same attribute mapping to enrich the introspection result or a custom JSON Web Token (JWT) access token.

In ISVAOP the attribute map is configured in the provider.yml, which defines a mapping between claim name and the attribute source ID. From version 23.03 the mapping is between claim name and the attribute source name rather than ID.

    name: display_name
    age: age
    family_name: surname

The attribute source is identified using the attribute source name. In the following example, it shows three attribute sources of type
value, credential, and ldap.

  - id: 1
    name: display_name
    type: value
    value: anonymous
  - id: 2
    name: age
    type: credential
    value: AZN_CRED_AGE
  - id: 3
    name: surname
    type: ldap
    value: sn
    scope: subtree
    filter: (cn={AZN_CRED_PRINCIPAL_NAME})
    selector: nickname,gender,sn
    srv_conn: ldap
    baseDN: dc=ibm,dc=com

Attribute Source

The following table describes the property of an attribute source.

NameDescriptionValid ValueMandatoryDefault
idAttribute source ID.stringYes
nameAttribute source name.stringYes
typeAttribute source type.value, credential, or ldapYes
valueAttribute source value. For attribute source of type value, this type contains the fixed value. For credential type, it refers to a credential attribute. For ldap type, it refers to an LDAP attribute to be retrieved.stringYes
scopeOnly applicable for attribute source of type ldap. LDAP search scope.base, one level, or subtreeYes(For LDAP)
filterOnly applicable for attribute source type ldap. LDAP search filter. It might contain macros as shown in the previous example.stringYes(For LDAP)
selectorOnly applicable for attribute source type ldap. LDAP selector that contains attributes that are retrieved together.stringYes(For LDAP)
srv_connOnly applicable for attribute source type, ldap. LDAP server connection name. This type links to an ldap server connection in storage.ymlstringYes(For LDAP)
baseDNOnly applicable for attribute source of type ldap. LDAP base DN. It might contain macros similar to filter.stringYes(For LDAP)

When the attribute mapping is resolved in the pre-token mapping rule, the user can perform the following to retrieve the value:

var age = stsuu.getAttributeValueByName("age");
var family_name = stsuu.getAttributeContainer().getAttributeValuesByName("family_name");

// Example of resolving claims for id_token
for (const claim of claims.getAllClaims()) {
    var value = stsuu.getAttributeValueByName(claim);
    if (value != null) {
        idtokenData[claim] = value;