Fluid Topics is able to delegate user information reading in SAML attributes to some JavaScript code. This feature enables to integrate some logic in data reading.
The JavaScript code has to be written in the authentication.js file in the tenant configuration directory. A function must be declared for each property that has to be read through JavaScript code.
JavaScript functions are called with two parameters:
- NameID (string): the SAML NameID given by the Identity Provider
- User attributes: dictionary associating a list of string values to each property
Example of a response from the SSO provider
The following example assumes that the provider returned the following values.
- NameID
name_id: 7f44d40ff8ff8018bd488addc17df599ed0f1054
- Attributes
{
"firstName": ["James"],
"lastName": ["Bond"],
"mail": ["james.bond@mi6.co.uk"],
"job": ["Secret Agent"],
"login": ["jbond"],
"id": ["7f44d40ff8ff8018bd488addc17df599ed0f1054"]
}
Example of the authentication.js file to retrieve SSO provider data
- The following JavaScript function shows how the user display_name parameter is computed:
function compute_display_name(name_id, attributes) {
return attributes.firstName[0] + ' ' + attributes.lastName[0];
}
- The following function gets the user name ID:
function get_name_id(name_id, attributes) {
return name_id;
}
- The following function gets the URL corresponding to the user email:
function get_mail(name_id, attributes) {
return attributes.mail[0];
}
- The following function computes the user groups:
function compute_groups(name_id, attributes) {
if (attributes.login[0] == 'jbond') {
return ['Secret Agents', 'Weapon Experts'];
}
return [];
}
- The following function computes the user roles:
function compute_roles(name_id, attributes) {
if (attributes.login[0] == 'jbond') {
// James Bond can do anything
return ['ADMIN'];
}
return [];
}
The following lines assume that the SSO provider provides the email information in an URL:
{
...
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": ["james.bond@mi6.co.uk"],
...
}
Then the following lines show how to write the function to retrieve the email address:
function get_mail(name_id, attributes) {
return attributes["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"];
}
Example of a conf.json file using SSO provider data
- The following example shows how the conf.json calls these functions:
“ui”: {
...
"authentication": {
"realms": [
{
"name": "$SAML_NAME_EXAMPLE",
"type": "saml2",
"configuration": {
"name": "$SAML_NAME_EXAMPLE",
"keystoreFile": "saml/keystore.jks",
"keystorePassword": "$KEYSTORE_PASSWORD",
"privateKeyPassword": "$PRIVATE_KEY_PASSWORD",
"entityId": "http://$HOSTNAME/$TENANT_ID/",
"idpMetadataFile": "saml/idp_metadata.xml",
"idReaderFunction": "get_name_id",
"nameReaderFunction": "compute_display_name",
"mailReaderFunction": "get_mail",
"groupsReaderFunction": "compute_groups",
"rolesReaderFunction": "compute_roles",
"maxAuthenticationLifetime": "$NUMERICAL_VALUE"
}
}
]
}
...
},