Authentication through OAuth 2.0 and subject mappings
Ping Identity IDM uses AM bearer tokens for authentication. Accordingly, all authentication is delegated to AM. With AM bearer tokens, all Advanced Identity Cloud endpoints that require authentication are accessed using an authorization header that contains the bearer token. Endpoints that allow anonymous access can be accessed without a token.
This page details the backend process of how AM does this, which includes subject mappings.
An rsFilter is an authentication method used to delegate authentication from IDM to AM.
In Advanced Identity Cloud, the rsFilter is predefined in the authentication configuration.
The rsFilter configuration includes the following properties:
scopes-
Any scopes that are required to be present in the access token. This will vary depending on your configuration. For more information about scopes, refer to OAuth 2.0 scopes in the AM OAuth 2.0 Guide.
cache-
Sets the timeout (
maxTimeout), in seconds, after which the token is removed from the cache. augmentSecurityContext-
Specifies a script that is executed only after a successful authentication request. The script helps to populate the expected security context. For more information, refer to The
augmentSecurityContexttrigger. subjectMapping-
An array of mappings that maps the AM realms (in Advanced Identity Cloud
/alphaand/bravo) to IDM managed object types. For example:"subjectMapping" : [ { "queryOnResource" : "managed/realm-name_user", "propertyMapping" : { "sub" : "_id" }, "userRoles" : "authzRoles/*", "additionalUserFields" : [ "adminOfOrg", "ownerOfOrg" ], "defaultRoles" : [ "internal/role/openidm-authorized" ] } ],-
queryOnResource: The IDM resource to check for the authenticating user; for example,managed/realm-name_user.The
queryOnResourceproperty supports dynamic handlebars template that lets a single subject mapping match multiple realms, if the managed objects are named prescriptively, and based on the realm name.For example:
"queryOnResource" : "managed/realm-name_user"This example configuration lets an access token with the realm
alphamap to an IDMmanaged/alpha_user, and an access token with the realmbravomap to an IDMmanaged/bravo_user. The configuration is useful if your AM and IDM deployments use a consistent realm and managed object naming.-
realm: The AM realm to which this subject mapping applies. A value of/specifies the top-level realm. If this property is absent, the mapping can apply to any realm, which is useful if thequeryOnResourceuses a dynamic handlebars template.You cannot have more than one mapping for the same realm, and you cannot have more than one mapping that has no realmin the configuration. -
propertyMapping: Maps fields in the AM access token to properties in IDM. This mapping is used to construct the query filter that locates the authenticating user. The default configuration maps the subject (sub) in the access token to the_idin IDM. -
userRoles: Determines the field to consult for locating the authorization roles; usuallyauthzRoles, unless you have changed how user roles are stored. This field must be a relationship field. IDM uses the_refIdfrom the array elements to populate the user roles in the security context. -
additionalUserFields: Determines the field to consult for locating the authorization roles; usuallyauthzRoles, unless you have changed how user roles are stored. This field must be a relationship field. IDM uses the_refIdfrom the array elements to populate the user roles in the security context. -
defaultRoles: The default roles that should be applied to a user who authenticates using thersFilter.
-
-
{
"subject" : "RCS-OAuth-clientId",
"localUser" : "internal/user/idm-provisioning"
}The subject must reflect the OAuth2 client in AM that has been set up for the remote connector server. The localUser can be any existing user. Do not assign that user any roles to ensure that the connector server bearer token cannot be used for any other purpose.
staticUserMapping-
Maps AM users to a matching IDM user. Can contain multiple user mappings, each with three properties:
subject,localUser, androles.-
subjectof the access token (the AM user). If you have specified aresourceTypeMapping, the static user mapping includes the full new subject string to match service accounts or static subject mappings, for example:"subject" : "amadmin" -
localUseris the IDM user you want to associate with the AM user identified insubject. For example, ifsubjectis set toamadmin, you might set the correspondinglocalUsertointernal/user/openidm-admin. -
rolesthe default IDM roles that this mapped user will have after they authenticate.The idm-provisioningsubject is a service account used by AM to provision users in IDM. You must include this subject in yourstaticUserMapping. For example:{ "subject": "(age!idm-provisioning)", "localUser": "internal/user/idm-provisioning", "roles" : [ "internal/role/platform-provisioning" ] }
-
|
Only one mapping is selected and used during the authentication process. If there is a In most situations if you have a remote connector server that is authenticating against AM, you must add a subject mapping specifically for the connector server. In this case you must add a |
Test authentication
To test authentication, create your own OAuth 2.0 client with the proper grant types. For more information, refer to Create custom OAuth 2.0 applications with application management.
-
Obtain a bearer token from AM.
For example, the bearer token would look like:
Authorization: Bearer z4uKDWiv4wnxKY7OjeG04PujG8E
For more information on how get a bearer token, refer to Authenticate to REST API with an access token.
-
Authenticate to IDM using that bearer token:
curl \ --request GET \ --header "Content-Type: application/json" \ --header "Authorization: Bearer z4uKDWiv4wnxKY7OjeG04PujG8E" \ 'https://<tenant-env-fqdn>/openidm/info/login' { "_id": "login", "authenticationId": "testClientID", "authorization": { "id": "testClientID", "roles": [ "internal/role/platform-provisioning" ], "component": "internal/user" } }