Hi Sylvain:
I'm not sure if this helps.
But I can see that there is a function
com.tivoli.am.fim.oauth20.util.OAuth20JwtBuilder that extracts from STSUU the claims, including sub and adds this to the jwt.
In this case the attribute that he extracts from STSUU is
<stsuuser:Attribute name="oidc_username" type="urn:ibm:names:ITFIM:5.1:accessmanager">
<stsuuser:Value>SUBJECT</stsuuser:Value>
</stsuuser:Attribute>
and then will generate the claim in STSUU
<stsuuser:Attribute name="sub" type="urn:ibm:jwt:claim">
<stsuuser:Value>SUBJECT</stsuuser:Value>
</stsuuser:Attribute>
that will be used to generate the jwt.
Of course you can always change this behavior, by customizing the pretoken mapping rule.
In the case of the attribute "aud" the STSUU used to extract this value is first obtained in
<stsuuser:Attribute name="client_id" type="urn:ibm:names:ITFIM:oauth:body:param">
<stsuuser:Value>AUDIENCE</stsuuser:Value>
</stsuuser:Attribute>
the
com.tivoli.am.fim.oauth20.strategy.commands.ProduceOidcClaimsCmd function extracts this information
after several steps that will validate the entry, the claim is added to the STSUU in the following element
<stsuuser:Attribute name="aud" type="urn:ibm:jwt:claim">
<stsuuser:Value>AUDIENCE</stsuuser:Value>
</stsuuser:Attribute>
which will later be used to generate the jwt.
If you need I can have a more details way how ISAM processes the request, and generates the jwt.
------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------
Original Message:
Sent: Tue October 27, 2020 12:51 PM
From: Sylvain Gilbert
Subject: Signed JWT assertions on junction with standard claims
Hi Community
Use Case: Passing signed JWT assertions on (tfim-sso) junction with standard claims.
Somehow, I would have expected that the "Default Jwt Module" in the STS (Federation module) would extract the user name from the provided ivcred (or from STSUU to be more precise) and insert it as the "sub" claim (for subject) in the issued Jwt. Why is the user id not converted automatically in the signed jwt assertion ? At least this is our observation. We told some dev team to use the associated AZN entry instead in the meantime while we clarify this.
Also, the "Default Jwt module" configuration panel features an input field "sub" (and also for "aud"). I am not sure how this "sub" field can be used without using a hardcoded value and this would really not make sense to us.
https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/config/concept/con_jwt_issue_mode.htm
The provided documentation for the "sub" entry states: "The static value with which the sub (subject) claim is populated". But typically, you want the "sub" value to be associated with the Web Proxy logged-in user which will not be a static user.
Before heading to a customized trust chain journey (mapping rule), I want to be sure we are not missing out here on anything else.
Thanks in advance
------------------------------
Sylvain Gilbert
------------------------------