I'm using OpenAM v11. And configure OAuth2.0 for openAM authentication module. I enable dynamic account creation of not exist'. Everything work fine, account attributes from OAuth providers are populated to OpenAM account. But not the uid.
Those dynamic created ac will have random generated UID and according to the manual:
Create account if it does not exist
This option must be enabled for this use case.
In this case if the user does not exist, the account will be created on the fly. The account will have a uid that is dynamically created as a UUID and the attributes of the profile will be the ones configured in the attribute mapper configuration.
source: https://wikis.forgerock.org/confluence/download/attachments/14942413/OAuth20_config.pdf?version=1&modificationDate=1322198637000
Is that a way for me to customize the user creation rule or just a UI configuration allow me to map attribute value from OAuth provider (e.g. login id or email) to be used for OpenAM new account UID / UUID ?
Thanks
Yes, you can implement a custom AccountMapper implementation and in the #provisionUser method you just have to figure out what the username should be based on the received attributes. In the OAuth 2.0 auth module configuration you just have to configure the Account Mapper setting to point your custom impl and it should work.
Related
Currently our team is struggling with propper architecture of Azure B2C solution for our multi tenant app.
Here is what we want to achieve. We want to enable users from certain Azure AD to authenticate. This is nicely described here with restricting tenants we want to enable.
We just want to enrich this solution with google authentication. We do not want to enable all users to be able to sign up. Is there a possibility to create google federated user programatically? We basically recieve list of emails from customer company and we create accounts in tenant). As far as I know there is no possiblity to achieve this using ms graph API when I don't have issuerUserId of user.
Do we have any possible solutions for this type of scenario? Like invitation email or so? Or maybe B2C is not a propper solution in this case.
Thanks in advance
A solution would be create the allowed users in b2c as a local account in graph api with accountEnabled as false and some generated password. Since the accountEnabled is false, user will not be able to sign in or reset the password as the default set of custom policies verify that attribute.
In the federated flow in custom policy,
Let the user complete federation.
Read the account using email address received.
If a local account exists, then link the federated account (Write alternateSecurityId to the account using objectId).
If a matching local account cannot be found, block the user by showing a selfAsserted page saying you are not allowed to sign up/in to this application.
You could also have some custom boolean extension attribute set to the local account to have an extra validation and update it's value once user completes the signup.
I have integrated SAML with spring boot and it is working as expected. But I wanted to implement login based on region and role, using which the user can select and login and access the selective content. And user can able to switch the account profile i,e role and region at any point of time. So, when the user logs in saml token will be generated with the attributes and can we refresh or enrich the token with the selected role & region attribute or is there any suggestion which will help in implementing this?
Our solution require a custom user attribute to be available for Graph API post/get operations and to be exposed with claims in the JWT for user user-in.
I have configured a custom policy with for Local Account.
The template files were downloaded from and the only changes made is to add a new custom user attribute that is available for Azure AD read/write, persistent storage, claims output.
I added the policy files to a public repo here:
https://github.com/frode/azure-ad-b2c/tree/master/LocalAccountSignIn
The extension_tenantId attribute becomes available for Graph API operations, setting value and retrieving it works fine, however the attribute is never exposed in the JWTs claims section as we intended.
Can User flows and custom polices be used together or is that the problem that we have defined a user flow with the same name as the custom policy?
/Frode
Was able to spot the issue in our configuration today.
src/Policies/LocalAccount/TrustFrameworkExtensions.xml was missing the IdentityExperienceFramework app registration & GUID value.
Regards
Frode
Currently we are a Service Provider (SP) which is currently using SSO Authentication using OpenAM and we are using Spring security to achieve this.
We have a login interface where user enter user name and password and authentication happens.
Now we have a requirement to allow users from an external identity provider (Azure) to access the SP in addition to the existing Open AM SSO. We are trying to use SAML 2.0 to achieve this.
For this we changed the login interface, to accept the user name and based on the user name, we either provide the password option (for local users ) or redirect to the azure portal (for idp users) to authenticate the user.
As part of this requirement, we added a variable userType into httprequest cookie and try to redirect to the respective authentication provider. But we always get redirected to azure even though the user is a local one.
We have gone through many examples from github to implement this but no luck.
Any pointers on this would really be helpful.
I am trying to configure SP-initiated SSO using SAML 2.0 between Azure Active Directory and NetSuite OpenAir. OpenAir requests a company ID and a user ID that are not part of the Azure Active Directory schema, so I added the necessary fields as extensions using the method at http://blogs.msdn.com/b/aadgraphteam/archive/2014/03/06/extend-azure-active-directory-schema-using-graph-api-preview.aspx
I now have the extension fields populated in AAD (one for UserID and one for CompanyID) but I do not know how to edit the Federation Metadata to enable them to be requested and asserted via SAML 2.0. I also don't know what URI to use to get the actual value included in the response.
This is the solution I've chosen for SP-initiated SSO with AAD as IdP, if you have another suggestion please let me know. I've been looking here, on MSDN, and on various documentation sites and blogs without success for about a week.