SAML Profile Retrieval Reading - Fluid Topics - 3.7

Fluid Topics Integration Guide

Operating system
Debian
Category
Reference Guides
Audience
public
Version
3.7

Fluid Topics supports several ways to build a Fluid Topics profile from SAML attributes. A simple way consists in reading values directly from SAML attributes.

The SSO response attributes may also require to compute values as specified in a JavaScript function.

Here are the SAML realm configuration properties that configure the profile retrieval:

  • User Identifier

    By default, the SAML NameID returned by the Identity Provider is used. This default behavior can be changed with the idPropertyKey which indicates which SAML attribute to read. If this attribute contains several values, only the first one will be used. The idReaderFunction specifies the name of the JavaScript function that has to be called to compute user identifier. This function must return a not null string value.

  • User Display Name

    This property represents the user full name. By default it is empty and the user will be prompted to fill it in. The namePropertyKey enables to choose the SAML attribute that contains the display_name parameter. The nameReaderFunction enables to indicate the name of the function to call in order to compute the user name. This function must return a nullable string value.

  • User Email Address

    This property represents the user email address. By default it is empty and the user will be prompted to fill it in. The mailPropertyKey enables to choose the SAML attribute that contains the user mail parameter. The mailReaderFunction enables to indicate the name of the function to call in order to compute the user email address. This function must return a nullable string value.

  • User Groups

    This property represents the names of the groups the user belongs to. By default it is empty. The groupsPropertyKey enables to choose the SAML attribute that contains user groups. The groupsReaderFunction enables to indicate the name of the function to call in order to compute the user groups. This function must return a string list.

  • User Roles

    This property represents the identifiers of the user roles. Non-existing role identifiers will be ignored. By default it is empty. The rolesPropertyKey enables to choose the SAML attribute that contains the user roles. The rolesReaderFunction enables to indicate the name of the function to call in order to compute the user roles. This function must return a string list.

The following example shows how to build a Fluid Topics profile directly from reading SAML attribute values.

Example of a response from the SSO provider

The following example assumes that the provider returned the following values:

  • NameID

    name_id: 7f44d40ff8ff8018bd488addc17df599ed0f1053

  • Attributes

    {
    "firstName": ["Freddie"],
    "lastName": ["House"],
    "mail": ["freddie.house@product-support.com"],
    "job": ["Support Agent"],
    "login": ["fhouse"],
    "id": ["7f44d40ff8ff8018bd488addc17df599ed0f1053"]
    }

Example of a conf.json file using SSO provider data

  • The following example shows how the conf.json reads the information returned by the SSO tool:

    “ui”: {
    ...
    "authentication": {
    "realms": [
    {
    "name": "$SAML_NAME_EXAMPLE",
    "type": "saml2",
    "configuration": {
    "name": "$SAML_NAME_EXAMPLE",
    "keystoreFile": "saml/keystore.jks",
    "keystorePassword": "$KEYSTORE_PASSWORD",
    "privateKeyPassword": "$PRIVATE_KEY_PASSWORD",
    "entityId": "http://$HOSTNAME/$TENANT_ID/",
    "idpMetadataFile": "saml/idp_metadata.xml",
    "idPropertyKey": "id",
    "namePropertyKey": "lastName",
    "mailPropertyKey": "mail",
    "groupsPropertyKey": "job",
    "maxAuthenticationLifetime": "$NUMERICAL_VALUE"
    }
    }
    ]
    }
    ...
    },