Actions to be performed in mapping rules (Federation)

For certain grant types, we must perform these actions in the pre-token mapping rule.

Resource owner password credentials (ROPC) grant type flow
For the ROPC flow, the pre-token mapping rule is responsible for performing validation of the user name and password. This validation can be performed in various ways. The pre-defined rule that is included with the appliance provides the following examples:

  • The java class PluginUtils can be used to validate a user name and password against a configured LDAP. To configure the LDAP to be used, see Configure username and password authentication.

  • Validate the user name and password through an HTTP callout. The mapping rule sends the user name and password to a web service. As the format of the messages is not fixed, various services (for example, REST, SOAP, SCIM) can be used for this purpose. Javadoc on the HTTP client and all other exposed Java classes available in mapping rules can be downloaded from the appliance File Downloads page under the path access_control > doc > ISAM-javadoc.zip.
JWT and SAML bearer grant type flow

For the JWT or SAML assertion bearer grant type flows, the pre-token mapping rule must perform the following actions:

  • Validate the assertion, including but not limited to:
    • Validate the signature (if signed).
    • Decrypt the assertion (if encrypted).
    • Check the expiry and "not before" value of the assertion.
    • Ensure the issuer is a trusted party.
  • Extract the subject from the assertion and set the USERNAME field of the STSUU.

    The USERNAME field of the STSUU can be set via a call, for example: 

      // username is a variable containing the subject of the assertion
        
stsuu.addContextAttribute(new com.tivoli.am.fim.trustserver.sts.uuser.Attribute
("username","urn:ibm:names:ITFIM:oauth:rule:decision", username));

    The validation of the assertion can be performed in various ways:

    • HTTP callout to a web service. Use the HTTP client to perform this.
    • WS-Trust request to the Secure Token Service (STS).
      • A chain must be configured to consume the assertion and return the required information.
      • The STSClientHelper will be called to invoke the STS via HTTP. For more information about this class, see the Javadoc that is embedded in the appliance.

    Any attributes of the assertion can be extracted and associated to the OAuth grant to be used later. For information about associating attributes, see OAuth 2.0 and OIDC mapping rule methods.

  • The type of the username attribute added must be "urn:ibm:names:ITFIM:oauth:rule:decision" to ensure that only a value populated from the rule is used.


Parent topic: Mapping rules