IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  IBM Verify Identity Access - Set subject claim in Persistent nameid format

    Posted 10 hours ago

    Hi,

    We have a requirement to update NameID value in below SAML assertion, I configured Verify Access (on-prem) as IDP with persistent nameid format. 

    In SAML mapping rule, I tried to set principalName to one of LDAP custom attributes instead of auto-generated id ie. uuid2d5cd167-0198-1990-82f3-33df4fc59bnm

    stsuu.setPrincipalName(nameID);

    But it is not working, what is the best way to populate nameid subject value with ldap attribute? (for example set employeeUniqueId in NameID value)

    as-it-is SAML assertion:

    <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://<fqdn>/isam/sps/demo-idp/saml20" SPNameQualifier="https://<sp-fqdn>" >uuid2d5cd167-0198-1990-82f3-33df4fc59bnm</saml:NameID>

    Expected SAML assertion:

    <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="https://<fqdn>/isam/sps/demo-idp/saml20" SPNameQualifier="https://<sp-fqdn>" >empId1234</saml:NameID>

    Thanks for your support.



    ------------------------------
    Someswara Reddy Karem
    ------------------------------


  • 2.  RE: IBM Verify Identity Access - Set subject claim in Persistent nameid format

    Posted 4 hours ago

    Hi,
    Try the below :

    // Import the STS Attribute class
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);

    // 1. Extract the LDAP attribute from the STS-UU.
    //    Replace "employeeUniqueId" with the actual attribute name in your LDAP schema.
    var empIdAttr = stsuu.getAttributeList().getAttribute("employeeUniqueId");
    if (empIdAttr == null || empIdAttr.getValues().length == 0) {
        // No value found; default to existing principal name
        var existing = stsuu.getPrincipalName();
        empId = (existing != null) ? existing : "";
    } else {
        // Use the first value of the LDAP attribute
        var empId = empIdAttr.getValues()[0];
    }

    // 2. Add a Principal attribute of persistent NameID format
    var nameIdFormat = "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent";
    stsuu.addPrincipalAttribute(
        new Attribute("principalName", nameIdFormat, empId)
    );

    // Optionally override the SPNameQualifier or NameQualifier via context attributes:
    // var spQualifier = "https://<sp-fqdn>";
    // stsuu.addContextAttribute(
    //     new AttributeAssertion("ChangeSPNameQualifier", "urn:oasis:names:tc:SAML:2.0:assertion", spQualifier)
    // );



    ------------------------------
    Mohamed Ahmed
    ------------------------------

    Original Message


  • 3.  RE: IBM Verify Identity Access - Set subject claim in Persistent nameid format

    Posted 2 hours ago

    Hi,

    If the SAML request contains nameid-format:persistent,

    stsuu.setPrincipalName(nameID) does not have any effect.

    IVIA will use the alias present in the ALIAS_SVC_ALIASUSERPARTNER table or generate a random alias if not found.



    ------------------------------
    Stéphane MASSON
    ------------------------------

    Original Message


Related Content