Hello Everyone,
I would like to check and understand my issue. that user enter the user name and authentication level is 1 but still it is allowed SAML mappring rule for validation and it is gettin failed and throwing error.
My question,
1. How is it allowed to check the condition still authentication level is 1? It should be after authentication
2. if it is allowed and throwing the message instead of message, can we call pkmslogout to clear the user session and ask to relogin.
Please find my below code:
if(AUTHENTICATION_LEVEL == 2)
{
var nameid = principalName.split("@");
IDMappingExtUtils.traceString("Principal nameid email" + nameid[0]);
stsuu.addPrincipalAttribute(new Attribute("name", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", nameid[0]));
}
else
{
IDMappingExtUtils.throwSTSException("Aamli login failed");
//window.location.href = 'https://<webseal-host>/pkmslogout';
//page.setValue("redirectURL", "https://<webseal-host>/pkmslogout");
}
------------------------------
Vijay Baskar
------------------------------
Original Message:
Sent: Wed July 13, 2022 02:41 AM
From: Yashas S N
Subject: SAML mapping rule
Thank you Shane that made sense.
I finally could achieve what i wanted. I may have to a error resiliency to the mapping as you said.
The below code worked.
//SAML20 SP mapping rule
importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.uuser.Attribute);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.uuser.AttributeStatement);
// Get username from incoming SAML assertion
var qualified_username = stsuu.getAttributeContainer().getAttributeValueByName("username");
//Clear the working object. We will explicitly add back everything we waant to send in the SAML to CIC.
stsuu.clear();
// Set the NameID attribute of the SAML assertion to the generated qualified_username
stsuu.addPrincipalAttribute(new Attribute("name", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", qualified_username));
// Done.
------------------------------
Yashas S N
Original Message:
Sent: Wed July 13, 2022 01:37 AM
From: Shane Weeden
Subject: SAML mapping rule
1. You want to add a lot more error resiliency to the mapping rule in case things are not as you expect in the SAML assertion.
2. There are much simpler APIs available:
let name = stsuu.getAttributeValueByName("name");
if (name != null} {
stsuu.setPrincipalName(name);
} else {
IDMappingExtUtils.throwSTSUserMessageException("Invalid SAML assertion");
}
------------------------------
Shane Weeden
IBM
Original Message:
Sent: Tue July 12, 2022 04:19 AM
From: Yashas S N
Subject: SAML mapping rule
Hello Team,
We are doing a SP initiated SAML federation with Azure. As user enters the credentials on Azure login page (xyz@domain.com), the IV-User header that is passed to the application by default is xyz@domain.com. IDP is sending another attribute name username which matches the user present in Application DB and hence i need to map this username attribute to be sent on IV-User header to target app. I have written a SP mapping rule, please let me know if it is correct?
//SAML20 SP mapping rule
importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
var c = stsuu.getAttributeContainer();
var uname = c.getAttributeByName("username").getValues();
attrs = [];
attrs.push(new Attribute("name", null, uname));
stsuu.addPrincipalAttribute(new Attribute("principal", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", name));
------------------------------
Yashas S N
------------------------------