Layer7 API Management

  • Private Community
 View Only

  • 1.  sample to extract users group information for OIDC userinfo

    Posted Apr 25, 2017 10:18 PM

    I have a requirement to pass the users group information as a part of claims in the userinfo endpoint of the OpenID Connect implementation. If I just extract the groups information from CA SSO, I get it as

    {

       "sub": "XnGo6hjvm6PK1fUJU6gnRKvy0d63eosOwNSIlI4Qo2E",
       "name": "Shinoy Cherayil",
       "family_name": "Cherayil",
       "nickname": "Shinoy",
       "preferred_username": "xxxxx",
       "groups": "CN=CVTrials,OU=VDS,ou=groups,DC=acmecorp,DC=com, CN=DL All Users,ou=groups,DC=acmecorp,DC=com, CN=DL ZL CP G1 Mgrs,ou=groups,DC=acmecorp,DC=com,CN=EPFellowsInternal,OU=VDS,ou=groups,DC=acmecorp,DC=com, CN=FACSalesAdminExceptions,OU=VDS,ou=groups,DC=acmecorp,DC=com,  CN=bousers,OU=VDS,ou=groups,DC=acmecorp,DC=com"
    }

     

    Any idea on how i can transform that into this format as arrays when the groups element length could vary based on the number of groups the user belongs to.

     

    {

     

       "sub": "XnGo6hjvm6PK1fUJU6gnRKvy0d63eosOwNSIlI4Qo2E",
       "name": "Shinoy Cherayil",
       "family_name": "Cherayil",
       "nickname": "Shinoy",
       "preferred_username": "xxxxx",
       "groups": ["CN=CVTrials,OU=VDS,ou=groups,DC=acmecorp,DC=com", "CN=DL All Users,ou=groups,DC=acmecorp,DC=com", "CN=DL ZL CP G1 Mgrs,ou=groups,DC=acmecorp,DC=com","CN=EPFellowsInternal,OU=VDS,ou=groups,DC=acmecorp,DC=com", "CN=FACSalesAdminExceptions,OU=VDS,ou=groups,DC=acmecorp,DC=com", "CN=bousers,OU=VDS,ou=groups,DC=acmecorp,DC=com"]
    }



  • 2.  Re: sample to extract users group information for OIDC userinfo

    Broadcom Employee
    Posted Apr 25, 2017 11:26 PM

    Good Evening,

     

    Do you have a sample policy where you get the original information from SSO along with the creation of the OIDC? Initial thought would be to split context variable based on maybe cn= then use a run for each branch with a regular expression to change the string with the right values needed.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 3.  Re: sample to extract users group information for OIDC userinfo

    Posted Apr 25, 2017 11:44 PM
      |   view attached

    I attached the userinfo policy here. I did make an attempt to split based on cn= but the second question that came up is how to figure out how many branches to run and how to concatenate into an array using policy manager.

     

    Thanks

    Shinoy

     

    This message has been marked as Medtronic Controlled

    Attachment(s)

    zip
    UserInfo.xml.zip   7 KB 1 version


  • 4.  Re: sample to extract users group information for OIDC userinfo
    Best Answer

    Broadcom Employee
    Posted Apr 26, 2017 12:00 AM

    That is where you would use the Run Assertions for each item. Run Assertions for Each Item Assertion - CA API Gateway - 9.2 - CA Technologies Documentation as it would iterate through each item in the array created by the split variable assertion. You would need to build another assertion that would have [" in it then the run for each would build out the final string then outside you would add the built string into another variable with "] or just ] depending on the logic in the run each.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support