Attribute Source
Attribute source configuration
An attribute source acts as an external datasource where additional information can be retrieved. An attribute mapping entry links a source attribute from a datasource with a target user attribute.
In IBM Security Verify Access OIDC Provider(ISVAOP), attribute mapping is used to enrich grants and resolve requested claims. The same attribute mapping to enrich the introspection result or a custom JSON Web Token (JWT) access token.
In ISVAOP the attribute map is configured in the provider.yml, which defines a mapping between claim name and the attribute source ID. From version 23.03 the mapping is between claim name and the attribute source name rather than ID.
definition:
...
attribute_map:
name: display_name
age: age
family_name: surname
The attribute source is identified using the attribute source name. In the following example, it shows three attribute sources of type
value, credential, and ldap.
attribute_sources:
- id: 1
name: display_name
type: value
value: anonymous
- id: 2
name: age
type: credential
value: AZN_CRED_AGE
- id: 3
name: surname
type: ldap
value: sn
scope: subtree
filter: (cn={AZN_CRED_PRINCIPAL_NAME})
selector: nickname,gender,sn
srv_conn: ldap
baseDN: dc=ibm,dc=com
Attribute Source
The following table describes the property of an attribute source.
| Name | Description | Valid Value | Mandatory | Default |
|---|---|---|---|---|
| id | Attribute source ID. | string | Yes | |
| name | Attribute source name. | string | Yes | |
| type | Attribute source type. | value, credential, or ldap | Yes | |
| value | Attribute source value. For attribute source of type value, this type contains the fixed value. For credential type, it refers to a credential attribute. For ldap type, it refers to an LDAP attribute to be retrieved. | string | Yes | |
| scope | Only applicable for attribute source of type ldap. LDAP search scope. | base, one level, or subtree | Yes(For LDAP) | |
| filter | Only applicable for attribute source type ldap. LDAP search filter. It might contain macros as shown in the previous example. | string | Yes(For LDAP) | |
| selector | Only applicable for attribute source type ldap. LDAP selector that contains attributes that are retrieved together. | string | Yes(For LDAP) | |
| srv_conn | Only applicable for attribute source type, ldap. LDAP server connection name. This type links to an ldap server connection in storage.yml | string | Yes(For LDAP) | |
| baseDN | Only applicable for attribute source of type ldap. LDAP base DN. It might contain macros similar to filter. | string | Yes(For LDAP) |
When the attribute mapping is resolved in the pre-token mapping rule, the user can perform the following to retrieve the value:
var age = stsuu.getAttributeValueByName("age");
var family_name = stsuu.getAttributeContainer().getAttributeValuesByName("family_name");
// Example of resolving claims for id_token
for (const claim of claims.getAllClaims()) {
var value = stsuu.getAttributeValueByName(claim);
if (value != null) {
idtokenData[claim] = value;
}
}
Updated about 1 year ago