[cf-dev] #uaa

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[cf-dev] #uaa

vshetty via Lists.Cloudfoundry.Org
We have our own UAA server running in a cloud.gov environment which we use for all applications that are deployed in cloud.gov. These applications use OAuth 2 to integrate with the UAA server and the UAA server is using SAML to integrate with our on premises ADFS Identity Server. Currently the only claims that we are getting from ADFS are the standard First name, last name, email. But now one of the applications need a custom claim from the AD. We set that in ADFS and we now see the custom claim as part of the SAML but we dont see that in the ID token after a user login. What do I need to do in the UAA.yml to get this in the ID token ? I added an entry in the attributes mapping but it did not work.  Is there anything I need to add to the scopes for this to happen ? Whats the best way ? Any help is appreciated. 

       attributeMappings:
          somename: claim_url
_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#9022) | [hidden email] | [hidden email] | Mute This Topic | New Topic
Mute #uaa


Reminder that all communication on this mailing list is subject to the Cloud Foundry Foundation's code of conduct, which can be found here: https://www.cloudfoundry.org/code-of-conduct/
Your Subscription | [hidden email] | Unsubscribe [[hidden email]]
_._,_._,_
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] #uaa

Martijn de Boer

You need to set e.g. the config.attributeMappings['user.attribute.department'] attribute in the identity provider registration. See https://docs.cloudfoundry.org/api/uaa/version/74.18.0/index.html#oauth-oidc

Then you can retrieve it from the userinfo endpoint, see https://docs.cloudfoundry.org/api/uaa/version/74.18.0/index.html#user-info


config.attributeMappings['user.attribute.department'] String Optional Map external attribute to UAA recognized mappings. Mapping should be of the format user.attribute.<attribute_name>. department is used in the documentation as an example attribute.
Am 22.05.20 um 19:42 schrieb Shetty, Viraj S [CTR] via lists.cloudfoundry.org:
We have our own UAA server running in a cloud.gov environment which we use for all applications that are deployed in cloud.gov. These applications use OAuth 2 to integrate with the UAA server and the UAA server is using SAML to integrate with our on premises ADFS Identity Server. Currently the only claims that we are getting from ADFS are the standard First name, last name, email. But now one of the applications need a custom claim from the AD. We set that in ADFS and we now see the custom claim as part of the SAML but we dont see that in the ID token after a user login. What do I need to do in the UAA.yml to get this in the ID token ? I added an entry in the attributes mapping but it did not work.  Is there anything I need to add to the scopes for this to happen ? Whats the best way ? Any help is appreciated. 

       attributeMappings:
          somename: claim_url
_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#9023) | [hidden email] | [hidden email] | Mute This Topic | New Topic
Mute #uaa


Reminder that all communication on this mailing list is subject to the Cloud Foundry Foundation's code of conduct, which can be found here: https://www.cloudfoundry.org/code-of-conduct/
Your Subscription | [hidden email] | Unsubscribe [[hidden email]]
_._,_._,_
Reply | Threaded
Open this post in threaded view
|

[cf-dev] How do we get the user attributes from AD into the ID Token ?

vshetty via Lists.Cloudfoundry.Org

Hi Martijn –

 

Thank you for the response an pointers. I missed the fact that the attribute in the uaa.yml should be of the format

 

user.attribute.<attr_name>

 
Everything is working now. 

Thanks,

Viraj

 

_._,_._,_

Links:

You receive all messages sent to this group.

View/Reply Online (#9024) | [hidden email] | [hidden email] | Mute This Topic | New Topic


Reminder that all communication on this mailing list is subject to the Cloud Foundry Foundation's code of conduct, which can be found here: https://www.cloudfoundry.org/code-of-conduct/
Your Subscription | [hidden email] | Unsubscribe [[hidden email]]
_._,_._,_