SAML Profile Retrieval Computing - Fluid Topics - 3.7

Fluid Topics Integration Guide

Operating system
RHEL
Category
Reference Guides
Audience
public
Version
3.7

Fluid Topics is able to delegate user information reading in SAML attributes to some JavaScript code. This feature enables to integrate some logic in data reading.

The JavaScript code has to be written in the authentication.js file in the tenant configuration directory. A function must be declared for each property that has to be read through JavaScript code.

JavaScript functions are called with two parameters:

  • NameID (string): the SAML NameID given by the Identity Provider
  • User attributes: dictionary associating a list of string values to each property

The return type of JavaScript functions depends on user properties. It is specified in the corresponding property documentation.

Example of a response from the SSO provider

The following example assumes that the provider returned the following values.

  • NameID

    name_id: 7f44d40ff8ff8018bd488addc17df599ed0f1054

  • Attributes

    {
    "firstName": ["James"],
    "lastName": ["Bond"],
    "mail": ["james.bond@mi6.co.uk"],
    "job": ["Secret Agent"],
    "login": ["jbond"],
    "id": ["7f44d40ff8ff8018bd488addc17df599ed0f1054"]
    }

The names of the object properties depend on the SSO tool and its configuration.

Example of the authentication.js file to retrieve SSO provider data

  • The following JavaScript function shows how the user display_name parameter is computed:

    function compute_display_name(name_id, attributes) {
    return attributes.firstName[0] + ' ' + attributes.lastName[0];
    }

  • The following function gets the user name ID:

    function get_name_id(name_id, attributes) {
    return name_id;
    }

  • The following function gets the URL corresponding to the user email:

    function get_mail(name_id, attributes) {
    return attributes.mail[0];
    }

  • The following function computes the user groups:

    function compute_groups(name_id, attributes) {
    if (attributes.login[0] == 'jbond') {
    return ['Secret Agents', 'Weapon Experts'];
    }
    return [];
    }

  • The following function computes the user roles:

    function compute_roles(name_id, attributes) {
    if (attributes.login[0] == 'jbond') {
    // James Bond can do anything
    return ['ADMIN'];
    }
    return [];
    }

A SAML attribute can also take the form of an URL.

The following lines assume that the SSO provider provides the email information in an URL:

{
...
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": ["james.bond@mi6.co.uk"],
...
}

Then the following lines show how to write the function to retrieve the email address:

function get_mail(name_id, attributes) {
return attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"];
}

Example of a conf.json file using SSO provider data

  • The following example shows how the conf.json calls these functions:

    “ui”: {
    ...
    "authentication": {
    "realms": [
    {
    "name": "$SAML_NAME_EXAMPLE",
    "type": "saml2",
    "configuration": {
    "name": "$SAML_NAME_EXAMPLE",
    "keystoreFile": "saml/keystore.jks",
    "keystorePassword": "$KEYSTORE_PASSWORD",
    "privateKeyPassword": "$PRIVATE_KEY_PASSWORD",
    "entityId": "http://$HOSTNAME/$TENANT_ID/",
    "idpMetadataFile": "saml/idp_metadata.xml",
    "idReaderFunction": "get_name_id",
    "nameReaderFunction": "compute_display_name",
    "mailReaderFunction": "get_mail",
    "groupsReaderFunction": "compute_groups",
    "rolesReaderFunction": "compute_roles",
    "maxAuthenticationLifetime": "$NUMERICAL_VALUE"
    }
    }
    ]
    }
    ...
    },