Request additional user information from an external domain - Fluid Topics - 4.3

Fluid Topics Configuration and Administration Guide

Category
Reference Guides
Audience
public
Version
Latest

Some administrators prefer not to store information about user groups and user roles within the configuration of the realm itself. Instead, they configure a script that calls an HTTP client web service to retrieve user roles and rights from an external system whenever a user authenticates via the SSO mechanism.

The script is intended to be added to a groups or roles mapper.

For security reasons, it is necessary to define a whitelist of authorized external hosts. Without this list, the script will not work. SaaS clients should request assistance from a Fluid Topics representative. On-premises clients can define a whitelist of authorized external hosts by configuring the postAuthenticationRequestableHosts parameter in the features.conf.json file.

Example

An administrator adds the script to a groups mapper to call a fictitious API for a fictitious domain which is accessible via an SSO mechanism:

const response = http.get('https://mydomain.com/api/users/rights?userid=' + user.id)
      .header('Accept', 'application/json')
      .header('Authorization', 'Bearer' + attributes.access_token)
      .asString();

const json = JSON.parse(response);

user.groups = json.rights;

As shown in the example, it is good practice to configure the following headers when adding the script:

  • 'Authorization': a header to define an access token.

  • 'Accept': a header to define the accepted API call and response format.