Mapping user roles/groups from LDAP to SAML assertions in OpenAM

Friday, November 15, 2013

For testing purposes I am using OpenAM with the default configuration which includes a embedded OpenDJ (LDAP) instance. This embedded LDAP directory should not be used in production but can perfectly be used in your development setup. I am using OpenAM for setting up an identity provider which communicates SAML 2.0 with my service providers.

My service providers need role assertions about the user accessing the service provider. This post will go quickly through all the steps needed to return the roles/groups of an user in case of a default OpenAM configuration. Before you can do that you already need your identity and service provider, realm and circle of trust configured.

The LDAP directory is filled with a default user demo which we are going to place in two groups. So let’s create two groups first. Login with your administrator account to the web-console and go to Access Control.

 

image

 

Click on the Top Level Realm /

 

image

 

Go to the Subjects tab.

 

image

 

Go to the Group tab.

 

image

 

Click on New… and name your group and click on OK (repeat that one more time).

 

image

 

So now we have created two groups.

 

image

 

Go back to the User tab and click on the demo user.

 

image

 

Go to the Group tab.

 

image

 

Add them all to selected and click on Save. After that go back to subjects.

 

image

 

Go to the Data Stores tab.

 

image

 

Click on embedded. This opens the configuration of the OpenDJ LDAP data store. Scroll down to User Configuration.

 

image

 

Add a the value isMemberOf to LDAP User Attributes. The isMemberOf value is an OpenDJ operational attribute that represent the groups the user is member of. Go back to the top after adding and click on Save. 

First go back to Datastores and then go back to Acces Control.

 

image

 

Now go to the Federation tab.

 

image

 

Here you can see my circle of trust and two providers. Click on the identity provider.

 

image

 

Click on the Assertion Processing tab.

 

image

 

Under Attribute Mapper you can define your SAML assertions and attribute mapping. I am mapping the isMemberOf attribute to a SAML assertion attribute http://schemas.microsoft.com/ws/2008/06/identity/claims/role. You may define your own SAML assertion names if you like. Click Save and your are done.

Just to be sure, restart your servlet engine (e.g. Tomcat).

Let me show you that it works by going to a specially prepped service provider. The service provider redirects me to the identity provider for authentication.

 

image

 

After providing valid credentials the user will be redirected back to the service provider. The resource on the service provider shows all the assertions provided in the SAML response.

 

image

Tags: ,
Filed Under: Programming, Technology
Comments are closed