Some administrators prefer not to store information about user groups and user roles within the configuration of the realm itself. Instead, they configure a script that calls an HTTP client web service to retrieve user roles and rights from an external system whenever a user authenticates via the SSO mechanism.
The script is intended to be added to a groups or roles mapper.
For security reasons, it is necessary to define a whitelist of authorized external hosts. Without this list, the script will not work.
An administrator adds the script to a groups mapper to call a fictitious API for a fictitious domain which is accessible via an SSO mechanism:
const response = http.get('https://mydomain.com/api/users/rights?userid=' + user.id)
.header('Accept', 'application/json')
.header('Authorization', 'Bearer' + attributes.access_token)
.asString();
const json = JSON.parse(response);
user.groups = json.rights;
As shown in the example, it is good practice to configure the following headers when adding the script:
- 'Authorization': a header to define an access token.
- 'Accept': a header to define the accepted API call and response format.