Hello IBM Folks,

I have to configure an OpenID Connect relationship between OpenAM (ForrgeRock) as OpenID provider (OP) and WebSphere as Relying Party (RP). This works so far. But I have problems to map the groups to roles for an application. The question is, how does the WebSphere RP expect the group memberships to be returned by the OP? In the attached trace you can see, that the group membership "TestUser" is returned as follows:

3/29/22 18:19:07:830 UTC] 00000197 RelyingPartyU < getData returns [{"given_name":"Fred","family_name":"Brown","name":"Fred","groups":["TestUsers"],"sub":"Fred"}] Exit

I can influence the attribute  name and  the group list format in OpenAM. I just need to know how.

Kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Hello Thomas,
have you tried to set the provider_<id>.groupIdentifier with provider_<id>.useDefaultIdentifierFirst set to false(default)? As per https://www.ibm.com/docs/en/was/9.0.5?topic=party-openid-connect-relying-custom-properties this should allow you to set the group mapping attribute.

Regarding the role mapping the following blog post might help: https://blog.2innovate.at/posts/asserting_saml_users_and_groups_in_websphere_application_server/ which has been written for a SAML TAI but afaik OIDC should be be same.

Hope this helps - Hermann

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion
------------------------------

Original Message:
Sent: Tue March 29, 2022 02:44 PM
From: Thomas Mayr
Subject: Exchanging group membersips between OpenID provider and relying party

Hello IBM Folks,

I have to configure an OpenID Connect relationship between OpenAM (ForrgeRock) as OpenID provider (OP) and WebSphere as Relying Party (RP). This works so far. But I have problems to map the groups to roles for an application. The question is, how does the WebSphere RP expect the group memberships to be returned by the OP? In the attached trace you can see, that the group membership "TestUser" is returned as follows:

3/29/22 18:19:07:830 UTC] 00000197 RelyingPartyU < getData returns [{"given_name":"Fred","family_name":"Brown","name":"Fred","groups":["TestUsers"],"sub":"Fred"}] Exit

I can influence the attribute  name and  the group list format in OpenAM. I just need to know how.

Kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Hello Hermann,

thank you, this was the information I'm missing! I changed the attribute name for the group memberships returned by OpenAM to groupIds, which is the default value expected by the WebSphere RP. Now it works!

Kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------

Original Message:
Sent: Wed March 30, 2022 02:34 AM
From: Hermann Huebler
Subject: Exchanging group membersips between OpenID provider and relying party

Hello Thomas,
have you tried to set the provider_<id>.groupIdentifier with provider_<id>.useDefaultIdentifierFirst set to false(default)? As per https://www.ibm.com/docs/en/was/9.0.5?topic=party-openid-connect-relying-custom-properties this should allow you to set the group mapping attribute.

Regarding the role mapping the following blog post might help: https://blog.2innovate.at/posts/asserting_saml_users_and_groups_in_websphere_application_server/ which has been written for a SAML TAI but afaik OIDC should be be same.

Hope this helps - Hermann

------------------------------
Hermann Huebler
2innovate IT Consulting GmbH
Vienna
Austria

#IBMChampion

Original Message:
Sent: Tue March 29, 2022 02:44 PM
From: Thomas Mayr
Subject: Exchanging group membersips between OpenID provider and relying party

Hello IBM Folks,

I have to configure an OpenID Connect relationship between OpenAM (ForrgeRock) as OpenID provider (OP) and WebSphere as Relying Party (RP). This works so far. But I have problems to map the groups to roles for an application. The question is, how does the WebSphere RP expect the group memberships to be returned by the OP? In the attached trace you can see, that the group membership "TestUser" is returned as follows:

3/29/22 18:19:07:830 UTC] 00000197 RelyingPartyU < getData returns [{"given_name":"Fred","family_name":"Brown","name":"Fred","groups":["TestUsers"],"sub":"Fred"}] Exit

I can influence the attribute  name and  the group list format in OpenAM. I just need to know how.

Kind regards
Thomas

------------------------------
Thomas Mayr
------------------------------