Symantec Access Management

 View Only
Expand all | Collapse all

OIDC: Create a claim that contains all (or part) of the access roles that the user has on the identity.

  • 1.  OIDC: Create a claim that contains all (or part) of the access roles that the user has on the identity.

    Posted Aug 31, 2023 04:16 PM
    Is it possible to create a claim that contains all (or part) of the access roles that the user has on the identity ?

    At the moment the only way I was able to do this was by using the custom claims plugin writing java code to modify the access token (or idtoken).
    The plugin gets the user and then does a soap call to the identity getting the access roles and creates the new claim.
    To have this I must therefore also use an service account (on identity) which can ask for the roles of all users and keep its credentials in siteminder. 
    I don't like it very much and would like to save this extra call.

    Any idea ?
    Thanks in advance
    Marco


  • 2.  RE: OIDC: Create a claim that contains all (or part) of the access roles that the user has on the identity.

    Posted Sep 01, 2023 04:02 AM

    Ciao Marco

    according to IM Techdocs, the information about user roles should be already available in SM as a Response attribute, like this:

    SM_USER_APPLICATION_ROLES[:application id]: Returns a list of roles that are assigned to a user. 

    (see this link for additional details)

    You may try to use this in place of the SOAP call 

    Let me know if this works

    Best regards

    Enrico B.




  • 3.  RE: OIDC: Create a claim that contains all (or part) of the access roles that the user has on the identity.

    Posted Sep 01, 2023 04:33 AM

    Ciao Enrico,

    I know it and I use it for applications integrated via SPS passing it with the headers. Unfortunately it doesn't work if I put it in an OIDC provider as a claim :( 

    Marco