Symantec Access Management

Hi all,
I got a request from a client to include the name of the calling application as a claim in the token during OIDC auhentication. Looking at the Custom Claims plugin API, i would have to access some session context to retrieve information about calling client application. However it seems to me that there is no API that give access to this context information. Is there any way to fulfill the requirement?
The only option i see at the moment is to this name as a parameter to the plugin. But this would require to create a provider for each client which doesn't seem very scalable.
Any thoughs are welcome.

Best regards,
Dirk

Hi Dirk,

I have no experience in OIDC implementation, but depending the value
you are looking for for "application", you maybe can refer to a
"Request Context Variable". Again I'm not sure that this will work as
the value should be available before the authentication as the claim
plugin will process for authentication.

Best Regards,
Patrick
Original Message:
Sent: 09-30-2019 11:11 AM
From: Dirk Woywode
Subject: OIDC Custom Claims Plug-in

Hi all,
I got a request from a client to include the name of the calling application as a claim in the token during OIDC auhentication. Looking at the Custom Claims plugin API, i would have to access some session context to retrieve information about calling client application. However it seems to me that there is no API that give access to this context information. Is there any way to fulfill the requirement?
The only option i see at the moment is to this name as a parameter to the plugin. But this would require to create a provider for each client which doesn't seem very scalable.
Any thoughs are welcome.

Best regards,
Dirk

Hi Dirk,

The ID Token will contain the ClientID in the "aud" claim attribute (see example below). The ClientID can be customized and renamed to a more user-friendly name in the OICD client configuration screen in the Admin UI.
If you need to, you can also use the Custom Claims plugin API to set additional claims based on the "aud" claim value.

Let me know if this helps.

Below is an IDToken example: 

{

  "sub": "user1",

  "aud": "a9e8418f-5954-4142-aff6-5e0e3003774c",

  "auth_time": 1571323296,

  "iss": "https://<hostname>/affwebservices/CASSO/oidc/test",

  "exp": 1571323709,

  "iat": 1571323409

}

Original Message:
Sent: 09-30-2019 11:11 AM
From: Dirk Woywode
Subject: OIDC Custom Claims Plug-in

Hi all,
I got a request from a client to include the name of the calling application as a claim in the token during OIDC auhentication. Looking at the Custom Claims plugin API, i would have to access some session context to retrieve information about calling client application. However it seems to me that there is no API that give access to this context information. Is there any way to fulfill the requirement?
The only option i see at the moment is to this name as a parameter to the plugin. But this would require to create a provider for each client which doesn't seem very scalable.
Any thoughs are welcome.

Best regards,
Dirk

Hi Uzi,
Of course you are right. Why haven't i seen this before? :)
Thanks a lot.
Regards,
Dirk
Original Message:
Sent: 10-17-2019 11:09 AM
From: Uzi Cohen
Subject: OIDC Custom Claims Plug-in

Hi Dirk,

The ID Token will contain the ClientID in the "aud" claim attribute (see example below). The ClientID can be customized and renamed to a more user-friendly name in the OICD client configuration screen in the Admin UI.
If you need to, you can also use the Custom Claims plugin API to set additional claims based on the "aud" claim value.

Let me know if this helps.

Below is an IDToken example: 

{

  "sub": "user1",

  "aud": "a9e8418f-5954-4142-aff6-5e0e3003774c",

  "auth_time": 1571323296,

  "iss": "https://<hostname>/affwebservices/CASSO/oidc/test",

  "exp": 1571323709,

  "iat": 1571323409

}

Original Message:
Sent: 09-30-2019 11:11 AM
From: Dirk Woywode
Subject: OIDC Custom Claims Plug-in

Hi all,
I got a request from a client to include the name of the calling application as a claim in the token during OIDC auhentication. Looking at the Custom Claims plugin API, i would have to access some session context to retrieve information about calling client application. However it seems to me that there is no API that give access to this context information. Is there any way to fulfill the requirement?
The only option i see at the moment is to this name as a parameter to the plugin. But this would require to create a provider for each client which doesn't seem very scalable.
Any thoughs are welcome.

Best regards,
Dirk