In this scenario, the Acme company wants to fetch user roles from an external domain during SSO authentication. They prefer not to store information about user groups and user roles within the configuration of the realm itself.
To that end, the administrators of Acme create the following script:
const response = http.get(`https://example.com/api/users/rights?userid=${user.id}`)
.header('Ft-Calling-App', 'MyProfileMapperGetCall')
.header('Accept', 'application/json')
.header('Authorization', `Bearer ${attributes.access_token}`)
.send();
const json = JSON.parse(response);
user.groups = json.rights;
This a fictional API for a fictional domain accessible via an SSO mechanism.
With this script, when employees connect, Fluid Topics automatically requests the user groups from an external domain, and applies them to the user's account.
attributescorresponds to the user values coming from the authentication realm.user.groupscorresponds to the user's groups.- It is also possible to make
POST,PUT, andDELETEcalls in profile mappers. See Make HTTP requests.
For security reasons, it is necessary to define an allowlist of authorized external hosts. Without this list, the script does not work. Get in touch with a Fluid Topics representative for more information.
It is possible to use a client certificate when requesting user information from an external domain to enable mutual TLS (mTLS) authentication.