Some administrators prefer not to store information about user groups and user roles within the configuration of the realm itself. Instead, they configure a script that calls an HTTP client web service to retrieve user roles and rights from an external system whenever a user authenticates via the SSO mechanism.
The script is intended to be added to a groups or roles mapper.
For security reasons, it is necessary to define a whitelist of authorized external hosts. Without this list, the script will not work.
On-premises clients can define a whitelist of authorized external hosts by configuring the postAuthenticationRequestableHosts
parameter in the features.conf.json
file. SaaS clients should request assistance from a Fluid Topics representative.
Example
An administrator adds the script to a groups mapper to call a fictitious API for a fictitious domain which is accessible via an SSO mechanism:
const response = http.get('https://mydomain.com/api/users/rights?userid=' + user.id)
.header('Accept', 'application/json')
.header('Authorization', 'Bearer' + attributes.access_token)
.asString();
const json = JSON.parse(response);
user.groups = json.rights;
As shown in the example, it is good practice to configure the following headers when adding the script:
-
'Authorization'
: a header to define an access token. -
'Accept'
: a header to define the accepted API call and response format.