Have you tried turning trace up to 9 on
trace.pd.cas.usermap
and then trying the flow? I have an example of where I did that a while back and it dumps the entire STSUU document where you can see all the available attributes.
Maybe there could be a clue with a different attribute?
So I take it in your usermap you need to know if the auth method was
oidc so you can tell if the user is authenticating to the WRP/webseal as a federated/oidc user? If so, seems like you may end up having to use an EAI/InfoMap for whatever logic you need to do based on that attribute :(
------------------------------
Matt Jenkins
------------------------------
Original Message:
Sent: Fri September 23, 2022 09:15 AM
From: Thomas Renner
Subject: Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule
Hi @ all,
We have already used the "method" in user mapping rule, however we didn't get the relevant authentication mechanism. Our current use case is that we have a Reverse Proxy as an native OIDC relying Party to a foreign IdP which is responsible for the authentication. In this case the AZN_CRED_AUTH_METHOD has the value "OIDC".
Unfortunately the above mentioned "method" cannot provide any value, so we got "NOT FOUND". That's why I was asking for ths AZN_CRED_AUTH_METHOD because I didn't find any other information to determine the authentication method in following case.
Best regards
Thomas
------------------------------
Thomas Renner
Original Message:
Sent: Fri September 23, 2022 08:50 AM
From: Matt Jenkins
Subject: Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule
As Scott pointed out, we use method for this today. The two values I found were "LDAP Registry" for username/password and "SSL Client Certificate" for x509. I can't recall how I figured those values out, likely tracing things. I'm not sure if there are other values that you use for other purposes.
So basically
<xsl:variable name="method"><xsl:value-of select="stsuuser:Attribute[@name='method']/stsuuser:Value"/></xsl:variable>
Then testing the value of $method as needed.
Matt
------------------------------
Matt Jenkins
Original Message:
Sent: Thu September 22, 2022 04:56 PM
From: Scott Exton
Subject: Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule
Thomas,
Unfortunately the user mapping rule is executed immediately after the authentication operation, but before the credential is created. This means that the standard credential information (which includes AZN_CRED_AUTH_METHOD) is not available to the user mapping rule. The full list of data which is made available to the user mapping rule can be found in the documentation: https://www.ibm.com/docs/en/sva/10.0.4?topic=mapping-valid-user-attributes. It looks like you should be able to use the 'method' attribute to determine the method which authenticated the user.
I hope that this helps.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 9/21/2022 9:07:00 AM
From: Thomas Renner
Subject: Get value of attribute 'AZN_CRED_AUTH_METHOD" for user mapping rule
Hi Guys,
for my user mapping rule I need the value of attribute 'AZN_CRED_AUTH_METHOD'. For example if user authenticates via SSL Client Certificate the value of AZN_CRED_AUTH_METHOD is "ssl".
I used following code line but unfortunately I didn't get the right value:
<xsl:variable name='credMethod' select="stsuuser:Attribute[@name='attr:AZN_CRED_AUTH_METHOD']/stsuuser:Value"/>
Is it not possible for user name mapping rule to get this value of AZN* attributes?
Best regards
Thomas
------------------------------
Thomas Renner
------------------------------