Federate Authentication to external OIDC Provider

This topic has 9 replies, 2 voices, and was last updated 2 months, 2 weeks ago by Jatinder Singh.

  • Author
    Posts
  • #28594

    Hi,

    We have a customer requirement to enable bank authentication for certain applications. To achieve that , we are trying to integrate AM with an external OIDC complaint OpenID provider (Signicat) which provides Bank Authentication.

    We have achieved the integration by using openID connect node.

    The OIDC integration from AM to the external IDP (Signicat) works fine but the attribute mapping is not working correctly for an attribute with key as “signicat.national_id” which is returned as part of the userInfo response.

    It seems that the dot(.) in the key name is messing up with the “org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper” processing.

    Sample UserInfo response :
    {
    “sub”:”LEIZwuW_v2xWdDyBoZke5V_OSUN7-eFu”,
    “name”:”John Doe”,
    “signicat.national_id”:”195809051880″,
    “given_name”:”John”,
    “locale”:”SV”,
    “family_name”:”Doe”
    }

    It throws following error in the AM logs during user account creation in AM :
    {"timestamp":"2021-06-28T10:28:11.718Z","level":"ERROR","thread":"http-nio-8080-exec-10","mdc":{"transactionId":"76c1a3b1-6797-466e-b165-e283b4113849-2129"},"logger":"org.forgerock.openam.authentication.modules.common.mapping.JsonAttributeMapper","message":"defaultAttributeMapper.getAttributes: Could not get the attribute 'signicat.national_id'","context":"default","exception":"org.json.JSONException: JSONObject[\"signicat\"] not found.\n\tat org.json.JSONObject.get(JSONObject.java:498)\n\tat org.json.JSONObject.getJSONObject(JSONObject.java:592)

    Any ideas how to overcome that , how this attribute should be mapped in OIDC node UI (Attribute Mapper Configuration)?

    Regards,
    Suren

    #28595
     Jatinder Singh
    Participant

    If you look at the error message, it reads signicat not found. The JSON Attribute Mapper provides a DOT notation feature to get the value of a child attribute e.g. if we configure parent.child=amattr in the node, it would set amattr to childvalue for the following payload:

    {
       "parent":{
          "child":"childvalue"
       }
    }

    So the DOT in the KEY value of your payload is interfering with the above feature – it’s trying to find the signicat key, but it doesn’t exist by itself. I would suggest try escaping the key name or write a custom attribute mapper.

    Hope it helps!

    #28597

    Thanks @jsingh for quick reply. I have tried various combinations to escape the key name but no luck.

    signicat[\"national_id\"]
    signicat['national_id']
    signicat\u002enational_id
    [\"signicat.national_id\"]
    

    Do you have any suggestions on this ?

    I am bit new to ForgeRock so if you could please point me to any documentation or example about writing custom attribute mapper, that would be very helpful.
    Thanks for your time.

    Regards,
    Suren

    #28599
     Jatinder Singh
    Participant

    Where did you escape that string? In the OIDC node? If yes, could you please share the exact KEY-VALUE mapping you have in-place?

    Thanks.

    #28600

    @jsingh Yes, in the OIDC node Attribute Mapper Configuration. I have tried many different combinations as I mentioned in my earlier comment.

    https://ibb.co/0hLN37c (OIDC attribute mapper screenshot)

    I also tried looking in to attribute mapper code at
    https://stash.forgerock.org/projects/OPENAM/repos/openam-public/commits/96dfab48fc446b6279cce9e0ad25cea14380d96e#openam-authentication/openam-auth-common/src/main/java/org/forgerock/openam/authentication/modules/common/mapping/JsonAttributeMapper.java and looking at the code, it seems that even escaping won’t help.

    Please let me know if you need more information.

    #28604
     Jatinder Singh
    Participant

    Thanks for sharing the screenshot. If that didn’t work, my suggestion and as mentioned earlier would be to roll a custom attribute mapper.

    You will need the following to write a custom wrapper:
    * Maven’s settings.xml file – check https://backstage.forgerock.com/knowledge/kb/article/a74096897;
    * In your project, you can start with the below pom.xml which basically makes openam-auth-common as project’s depedency in order to reference the AttributeMapper interface;
    * Once you have the above in-place, write a custom Java class that implements AttributeMapper interface and provide custom implementation in the getAttributes method.

    Hope this helps!

    
    <?xml version="1.0" encoding="UTF-8"?>
    <project xmlns="http://maven.apache.org/POM/4.0.0"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
        <modelVersion>4.0.0</modelVersion>
    
        <groupId>customjw</groupId>
        <artifactId>com.sqoopdata.wrappers</artifactId>
        <version>1.0-SNAPSHOT</version>
    
        <properties>
            <am.version>7.1.0</am.version>
            <maven.compiler.source>1.8</maven.compiler.source>
            <maven.compiler.target>1.8</maven.compiler.target>
            <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        </properties>
    
        <dependencies>
            <dependency>
                <groupId>org.forgerock.am</groupId>
                <artifactId>openam-auth-common</artifactId>
                <scope>provided</scope>
                <version>${am.version}</version>
                <exclusions> <!-- excluding due to 403 forbidden message -->
                    <exclusion>  <!-- declare the exclusion here -->
                        <groupId>org.apache.servicemix.bundles</groupId>
                        <artifactId>org.apache.servicemix.bundles.java-xmlbuilder</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>
        </dependencies>
    
        <repositories>
            <repository>
                <snapshots>
                    <enabled>false</enabled>
                </snapshots>
                <id>forgerock-private-releases</id>
                <name>ForgeRock Private Release Repository</name>
                <url>http://maven.forgerock.org/repo/private-releases</url>
            </repository>
        </repositories>
    </project>
    
    #28605
     Jatinder Singh
    Participant

    Once you have a JAR built, you will need to package it in your OpenAM.war file in the libs directory and re-deploy. And then in your Node, you can reference your custom artifact instead of the default JSON attribute mapper.

    Hope this helps!

    Jatinder

    #28606

    Thanks @jsingh. This is very helpful. Really appreciate your help.
    I will implement the custom attribute mapper and get back to you..

    Regards,
    Suren

    #28615

    @jsingh, custom attribute mapper works fine. Also created a ticket with FR about this issue.
    Thanks for your support.

    #28616
     Jatinder Singh
    Participant

    Great! Glad I could help. Happy ForgeRocking!

    Jatinder Singh
    Sqoop Data
    ForgeRock Implementation Partner

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?