1. Cf-Dev
  2. Topics

#uaa #uaa

Shetty, Viraj S [CTR]
 

We have our own UAA server running in a cloud.gov environment which we use for all applications that are deployed in cloud.gov. These applications use OAuth 2 to integrate with the UAA server and the UAA server is using SAML to integrate with our on premises ADFS Identity Server. Currently the only claims that we are getting from ADFS are the standard First name, last name, email. But now one of the applications need a custom claim from the AD. We set that in ADFS and we now see the custom claim as part of the SAML but we dont see that in the ID token after a user login. What do I need to do in the UAA.yml to get this in the ID token ? I added an entry in the attributes mapping but it did not work.  Is there anything I need to add to the scopes for this to happen ? Whats the best way ? Any help is appreciated. 

       attributeMappings:
          somename: claim_url
Martijn de Boer
 

You need to set e.g. the config.attributeMappings['user.attribute.department'] attribute in the identity provider registration. See https://docs.cloudfoundry.org/api/uaa/version/74.18.0/index.html#oauth-oidc

Then you can retrieve it from the userinfo endpoint, see https://docs.cloudfoundry.org/api/uaa/version/74.18.0/index.html#user-info


config.attributeMappings['user.attribute.department'] String Optional Map external attribute to UAA recognized mappings. Mapping should be of the format user.attribute.<attribute_name>. department is used in the documentation as an example attribute.
Am 22.05.20 um 19:42 schrieb Shetty, Viraj S [CTR] via lists.cloudfoundry.org:

We have our own UAA server running in a cloud.gov environment which we use for all applications that are deployed in cloud.gov. These applications use OAuth 2 to integrate with the UAA server and the UAA server is using SAML to integrate with our on premises ADFS Identity Server. Currently the only claims that we are getting from ADFS are the standard First name, last name, email. But now one of the applications need a custom claim from the AD. We set that in ADFS and we now see the custom claim as part of the SAML but we dont see that in the ID token after a user login. What do I need to do in the UAA.yml to get this in the ID token ? I added an entry in the attributes mapping but it did not work.  Is there anything I need to add to the scopes for this to happen ? Whats the best way ? Any help is appreciated. 

       attributeMappings:
          somename: claim_url

1 - 2 of 2