This topic has 3 replies, 3 voices, and was last updated 4 years, 10 months ago by diedel.

  • Author
  • #20453


    I want to add a new LDAP attribute, lastIPAddress, defined as the user IP requesting idpssoinit script in a SAML 2 authentication.

    I’m following this section in the documentation:

    Instead of defining the lastIPAddress attribute, can I use some other similar LDAP attribute for this purpose, like ipNetworkNumber, inetUserHttpURL?

    The idea is to update the lastIPAddress attribute in a custom Post Authentication plugin. This custom plugin will connect to the embedded OpenDJ of OpenAM and will update it.

    I need this lastIPAddress attribute to send it afterwards in the SAMLResponse, as required by our Service Provider. Is there a better approach to accomplish this? Maybe creating a custom SAML 2 attribute mapper? But, it would be possible to get the source IP address of the idpssoinit request from the custom attribute mapper?


    Hi Diedel,

    The section you are referencing is more for if you want that new attribute displayed and modifiable by the user.

    If you simply want to make another attribute available you can certainly just use an existing, unused attribute(such as ipNetworkNumber) or another of your choosing.
    Alternately you can create a custom attribute in the user store and add it to a custom objectclass. In both cases here you need to ensure that the attribute will be writable by the account accessing the directory from openAM.

    After the attribute is created or selected you will need to add it to the list of mapped attributes you have defined in your user store configuration in OpenAM. Go to Datastores–> <your user store> then down to LDAP user Attributes. You’ll need to add both the custom attribute AND the custom objectclass in the event you created custom schema.

    At this point the attribute will be available to OpenAM and can be added to teh list of attributes returned in the assertion if you so desire.

    I hope this helps


    Hi Diedel,
    If you are planning to write lastIPAddress to OpenDJ after successful authentication in federation flow just to send it back in SAML response, I would set source ip into user session with property name as “lastIPAddress” in Post Authentication plug-in instead of writing to OpenDJ.

    In onLoginSuccess() method of PostAuthentication plugin, you can set lastIPAddress into user session as below.
    token.setProperty(“lastipaddress”, <IPAddress>);

    Add “lastIPAddress=lastipaddress” in IDP/SP Attribute mapper so that generated SAML response will have lastIPAddress



    Hi grk,

    Yes, I’ve noticed in the comments section of the that the attributes are taken from the SSOToken instead of the LDAP if they are not found.

    Thanks to all.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?