IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  IBM Verify Identity Access - filter groups claim in id_token

    Posted 3 days ago

    Hi,

    We have configured IBM Verify Identity Access 11 as OIDC Provider and populating groups claim in id_token, it return all user groups. I configured the attribute source as credentials type (AZN_CRED_GROUPS).

    However we have a requirement that if admin user login to specific OAuth2 client application (ex: ServiceNow, Salesforce etc), those user groups only should populate in id_token. For example,  admin user have ServiceNow groups and Salesforce groups in Verify Directory Server, if user login ServiceNow application, IVIA should populate ServiceNow groups only in id_token.

    To implement this requirement, we have added below search criteria in attribute source (LDAP type), it will return only one ServiceNow group, it doesn't return multiple ServiceNow groups. Am I missing anything here? or is this product limition?

    (&(cn=ServiceNow*)(uniquemember=*{AZN_CRED_PRINCIPAL_NAME}*))

    Question: Is there any better way to return OAuth2 client application specific user groups in id_token? if we use one OIDC provider for multiple Oauth2 applications, can we identity OAuth2 client (ex: ServiceNow client_id) and filter specific groups in clientPreTokenGeneration script?

    Thanks for your prompt response.

    Regards

    SK



    ------------------------------
    Someswara Reddy Karem
    ------------------------------


  • 2.  RE: IBM Verify Identity Access - filter groups claim in id_token

    Posted 3 days ago

    I figured-out an issue and apply below fix to filter application specific user groups for OIDC claims, but we have the same issue in SAML2, any guidance to implement for SAML2 federation to filter app specific groups in SAML assertion??

    I added below code to make it work while checking extra attrs in produceClaim() function, it works now.

    //Check the extra attrs nowif((value == null || value.length == 0) && stateId != null) {      

    if(tmp_value[i].startsWith("ServiceNow")){     tmp_array[i] = tmp_value[i];}

    Thanks for your support.



    ------------------------------
    Someswara Reddy Karem
    ------------------------------

    Original Message


  • 3.  RE: IBM Verify Identity Access - filter groups claim in id_token

    Posted 2 days ago

    Hi Someswara,

    did you have a look to token mapping rules? You basically can manipulate close to everything with the rules.



    ------------------------------
    Jens Petersen
    ------------------------------

    Original Message


Related Content