In some cases, administrators prefer not to store information about user groups and user roles within the configuration of the realm itself. For this reason, Fluid Topics v3.9.5 introduces the possibility to add a script to the JavaScript functions configured when running the configuration assistant. The script calls an HTTP client web service to retrieve user roles and rights from an external system whenever a user authenticates via the SSO mechanism.
The script is intended to be added to a groups or roles mapper.
For security reasons, it is necessary to provide Antidot with a whitelist of authorized external hosts in order for the script to be usable.
An administrator adds the script to a groups mapper to call a fictitious API for a fictitious domain which is accessible via an SSO mechanism:
const response = http.get('https://mydomain.com/api/users/rights?userid=' + user.id)
.header('Accept', 'application/json')
.header('Authorization', 'Basic dXNlcm5hbWU6cGFzc3dvcmQ=')
.asString();
const json = JSON.parse(response);
user.groups = json.rights;
As shown in the example, it is good practice to configure the following headers when adding the script:
- 'Authorization': a header to define user credentials or an access token.
- 'Accept': a header to define the accepted API call and response format.