Hello,

I am trying IAG and I think it works very well. Now I would like to apply rules depending on ISAM groups but it is not working. I think IAG is not receiving iv-groups.

My config file is:

identity:
oidc:
discovery_endpoint: "<ISAM>"
client_id: "<client_ID>"
client_secret: "<client_secret>"
scopes:
- profile
- openid
mapped_identity: "{sub}"
id_token_attrs:
- "+sub"

Do I have to add anything?

Regards

------------------------------
Javier Garcia Pazos
------------------------------

Original Message:
Sent: 10/13/2020 9:36:00 AM
From: Javier Garcia Pazos
Subject: OIDC and IAG: iv-groups and rules

Hello,

I am trying IAG and I think it works very well. Now I would like to apply rules depending on ISAM groups but it is not working. I think IAG is not receiving iv-groups.

My config file is:

identity:
oidc:
discovery_endpoint: "<ISAM>"
client_id: "<client_ID>"
client_secret: "<client_secret>"
scopes:
- profile
- openid
mapped_identity: "{sub}"
id_token_attrs:
- "+sub"

Do I have to add anything?

Regards

------------------------------
Javier Garcia Pazos
------------------------------

Hello Scott,

it helps. And now, my OP is ISAM (Security Verify Access). Do you know how I can add iv-groups?

Regards

------------------------------
Javier Garcia Pazos
------------------------------

Original Message:
Sent: Tue October 13, 2020 04:18 PM
From: Scott Exton
Subject: OIDC and IAG: iv-groups and rules

Javier,

 

You need to ensure that a claim which contains iv-groups is created at the OP, and is then added to the credential by the RP.  From your configuration it looks like the RP (aka IAG) is adding the majority of the claims from the token to the credential.  So, I would enable the creds viewer application (https://iamdevportal.us-east.mybluemix.net/iag/references/yaml/server/local-applications/cred-viewer), authenticate, and then access the creds-viewer application to see what credentials are available.  If the group information is missing the OP needs to be updated to include the group information in the identity token.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Original Message:
Sent: 10/13/2020 9:36:00 AM
From: Javier Garcia Pazos
Subject: OIDC and IAG: iv-groups and rules

Hello,

I am trying IAG and I think it works very well. Now I would like to apply rules depending on ISAM groups but it is not working. I think IAG is not receiving iv-groups.

My config file is:

identity:
oidc:
discovery_endpoint: "<ISAM>"
client_id: "<client_ID>"
client_secret: "<client_secret>"
scopes:
- profile
- openid
mapped_identity: "{sub}"
id_token_attrs:
- "+sub"

Do I have to add anything?

Regards

------------------------------
Javier Garcia Pazos
------------------------------

Hello Javier,

As Scott explained , check in the cred-viewer application
here is an example :

groupIds

[0] groupa [1] admin [2] allUsers

This is what the IAG yaml file should contain

identity_headers:
   ip_address: false 
   encoding: utf8_uri
   session_cookie: false 
   attributes:
      -
         attribute: groupIds
         header: iv_groups

Regards
Serge Vereecke

------------------------------
Serge Vereecke
------------------------------

Original Message:
Sent: Wed October 14, 2020 04:35 AM
From: Javier Garcia Pazos
Subject: OIDC and IAG: iv-groups and rules

Hello Scott,

it helps. And now, my OP is ISAM (Security Verify Access). Do you know how I can add iv-groups?

Regards

------------------------------
Javier Garcia Pazos

Original Message:
Sent: Tue October 13, 2020 04:18 PM
From: Scott Exton
Subject: OIDC and IAG: iv-groups and rules

Javier,

 

You need to ensure that a claim which contains iv-groups is created at the OP, and is then added to the credential by the RP.  From your configuration it looks like the RP (aka IAG) is adding the majority of the claims from the token to the credential.  So, I would enable the creds viewer application (https://iamdevportal.us-east.mybluemix.net/iag/references/yaml/server/local-applications/cred-viewer), authenticate, and then access the creds-viewer application to see what credentials are available.  If the group information is missing the OP needs to be updated to include the group information in the identity token.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Original Message:
Sent: 10/13/2020 9:36:00 AM
From: Javier Garcia Pazos
Subject: OIDC and IAG: iv-groups and rules

Hello,

I am trying IAG and I think it works very well. Now I would like to apply rules depending on ISAM groups but it is not working. I think IAG is not receiving iv-groups.

My config file is:

identity:
oidc:
discovery_endpoint: "<ISAM>"
client_id: "<client_ID>"
client_secret: "<client_secret>"
scopes:
- profile
- openid
mapped_identity: "{sub}"
id_token_attrs:
- "+sub"

Do I have to add anything?

Regards

------------------------------
Javier Garcia Pazos
------------------------------

Javier,

The attributes added to the OIDC Token are controlled by the logic in the pre- and post- mapping rules for the OAuth/OIDC definition in Verify Access.

These can be rather complex to figure out but if you simply want to have groups added to the OIDC token, you can add a single line to the pre-token mapping rule:

Find this line:

if (populate_id_token || save_cred_attrs) {

and add this right after it:

produceClaim("AZN_CRED_GROUPS", null, false, state_id, to_save);

This will cause the groups to always be added to the token.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed October 14, 2020 04:35 AM
From: Javier Garcia Pazos
Subject: OIDC and IAG: iv-groups and rules

Hello Scott,

it helps. And now, my OP is ISAM (Security Verify Access). Do you know how I can add iv-groups?

Regards

------------------------------
Javier Garcia Pazos

Original Message:
Sent: Tue October 13, 2020 04:18 PM
From: Scott Exton
Subject: OIDC and IAG: iv-groups and rules

Javier,

 

You need to ensure that a claim which contains iv-groups is created at the OP, and is then added to the credential by the RP.  From your configuration it looks like the RP (aka IAG) is adding the majority of the claims from the token to the credential.  So, I would enable the creds viewer application (https://iamdevportal.us-east.mybluemix.net/iag/references/yaml/server/local-applications/cred-viewer), authenticate, and then access the creds-viewer application to see what credentials are available.  If the group information is missing the OP needs to be updated to include the group information in the identity token.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Original Message:
Sent: 10/13/2020 9:36:00 AM
From: Javier Garcia Pazos
Subject: OIDC and IAG: iv-groups and rules

Hello,

I am trying IAG and I think it works very well. Now I would like to apply rules depending on ISAM groups but it is not working. I think IAG is not receiving iv-groups.

My config file is:

identity:
oidc:
discovery_endpoint: "<ISAM>"
client_id: "<client_ID>"
client_secret: "<client_secret>"
scopes:
- profile
- openid
mapped_identity: "{sub}"
id_token_attrs:
- "+sub"

Do I have to add anything?

Regards

------------------------------
Javier Garcia Pazos
------------------------------

Thanks Jon,

it works!. Should I modify pre-mapping in other way?

Regards

------------------------------
Javier Garcia Pazos
------------------------------

Original Message:
Sent: Wed October 14, 2020 01:24 PM
From: Jon Harry
Subject: OIDC and IAG: iv-groups and rules

Javier,

The attributes added to the OIDC Token are controlled by the logic in the pre- and post- mapping rules for the OAuth/OIDC definition in Verify Access.

These can be rather complex to figure out but if you simply want to have groups added to the OIDC token, you can add a single line to the pre-token mapping rule:

Find this line:

if (populate_id_token || save_cred_attrs) {

and add this right after it:

produceClaim("AZN_CRED_GROUPS", null, false, state_id, to_save);

This will cause the groups to always be added to the token.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed October 14, 2020 04:35 AM
From: Javier Garcia Pazos
Subject: OIDC and IAG: iv-groups and rules

Hello Scott,

it helps. And now, my OP is ISAM (Security Verify Access). Do you know how I can add iv-groups?

Regards

------------------------------
Javier Garcia Pazos

Original Message:
Sent: Tue October 13, 2020 04:18 PM
From: Scott Exton
Subject: OIDC and IAG: iv-groups and rules

Javier,

 

You need to ensure that a claim which contains iv-groups is created at the OP, and is then added to the credential by the RP.  From your configuration it looks like the RP (aka IAG) is adding the majority of the claims from the token to the credential.  So, I would enable the creds viewer application (https://iamdevportal.us-east.mybluemix.net/iag/references/yaml/server/local-applications/cred-viewer), authenticate, and then access the creds-viewer application to see what credentials are available.  If the group information is missing the OP needs to be updated to include the group information in the identity token.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Original Message:
Sent: 10/13/2020 9:36:00 AM
From: Javier Garcia Pazos
Subject: OIDC and IAG: iv-groups and rules

Hello,

I am trying IAG and I think it works very well. Now I would like to apply rules depending on ISAM groups but it is not working. I think IAG is not receiving iv-groups.

My config file is:

identity:
oidc:
discovery_endpoint: "<ISAM>"
client_id: "<client_ID>"
client_secret: "<client_secret>"
scopes:
- profile
- openid
mapped_identity: "{sub}"
id_token_attrs:
- "+sub"

Do I have to add anything?

Regards

------------------------------
Javier Garcia Pazos
------------------------------

Hi Javier,

The approach I've suggested associates the group memberships in the OAuth grant during the /authorize flow.  They are then available to any subsequent OAuth flow that runs for that grant (which is indexed by auth_code, Access Token, or Refresh Token).

This approach should be fine for an OIDC exchange because the grant is short-lived.  If you were running flows where the grant lasts a long time (like OAuth flow for a mobile application) then it would probably be better to write custom code to dynamically pull the group memberships out of LDAP on each /token call - so that changes to group memberships are reflected - but I don't think you need that for your use case.

Other changes should only be needed if you want to change the functionality - for example, making the return of groups conditional or changing the attribute that contains the groups.  These are more complex changes and I don't have examples to hand.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu October 15, 2020 05:04 AM
From: Javier Garcia Pazos
Subject: OIDC and IAG: iv-groups and rules

Thanks Jon,

it works!. Should I modify pre-mapping in other way?

Regards

------------------------------
Javier Garcia Pazos

Original Message:
Sent: Wed October 14, 2020 01:24 PM
From: Jon Harry
Subject: OIDC and IAG: iv-groups and rules

Javier,

The attributes added to the OIDC Token are controlled by the logic in the pre- and post- mapping rules for the OAuth/OIDC definition in Verify Access.

These can be rather complex to figure out but if you simply want to have groups added to the OIDC token, you can add a single line to the pre-token mapping rule:

Find this line:

if (populate_id_token || save_cred_attrs) {

and add this right after it:

produceClaim("AZN_CRED_GROUPS", null, false, state_id, to_save);

This will cause the groups to always be added to the token.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed October 14, 2020 04:35 AM
From: Javier Garcia Pazos
Subject: OIDC and IAG: iv-groups and rules

Hello Scott,

it helps. And now, my OP is ISAM (Security Verify Access). Do you know how I can add iv-groups?

Regards

------------------------------
Javier Garcia Pazos

Original Message:
Sent: Tue October 13, 2020 04:18 PM
From: Scott Exton
Subject: OIDC and IAG: iv-groups and rules

Javier,

 

You need to ensure that a claim which contains iv-groups is created at the OP, and is then added to the credential by the RP.  From your configuration it looks like the RP (aka IAG) is adding the majority of the claims from the token to the credential.  So, I would enable the creds viewer application (https://iamdevportal.us-east.mybluemix.net/iag/references/yaml/server/local-applications/cred-viewer), authenticate, and then access the creds-viewer application to see what credentials are available.  If the group information is missing the OP needs to be updated to include the group information in the identity token.

 

I hope that this helps.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Original Message:
Sent: 10/13/2020 9:36:00 AM
From: Javier Garcia Pazos
Subject: OIDC and IAG: iv-groups and rules

Hello,

I am trying IAG and I think it works very well. Now I would like to apply rules depending on ISAM groups but it is not working. I think IAG is not receiving iv-groups.

My config file is:

identity:
oidc:
discovery_endpoint: "<ISAM>"
client_id: "<client_ID>"
client_secret: "<client_secret>"
scopes:
- profile
- openid
mapped_identity: "{sub}"
id_token_attrs:
- "+sub"

Do I have to add anything?

Regards

------------------------------
Javier Garcia Pazos
------------------------------