How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I create a custom SAML2 IdP account mapper in AM (All versions)?

Last updated May 6, 2021

The purpose of this article is to provide information on creating a custom SAML2 account mapper for the hosted IdP in AM. This is achieved by extending the DefaultIDPAccountMapper class that implements the IDPAccountMapper interface, which requires cloning the am-external repository. A common customization is to modify the NameID value included in a SAML2 assertion by adding a static value as prefix and/or suffix.


Overview

If you want to customize the default IdP account mapper, for example, to customize the NameID value returned in the assertion, you can do this by implementing a custom IDPAccountMapper. This is achieved by extending the DefaultIDPAccountMapper Java® class. This class is available from the am-external Git repository hosted on our BitBucket® Server.

Caution

Disclaimer for the following code, please review before implementing these changes. This code is just a sample; it does not include best practice for Java code (such as error handling) and will need customizing to fit your use case. Customizing SAML2 plugins is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.  

Prerequisites 

Creating a custom account mapper requires cloning the am-external repository. Before you begin, please follow the steps below to ensure you have access to the ForgeRock private Maven repository:

  1. Generate a ~/.m2/settings.xml file per How do I access the ForgeRock protected Maven repositories? It is essential that you create a valid settings.xml to access the Maven repositories needed for the build process. Failing to do this will cause your build to fail.
  2. Create an SSH key and add it to your Bitbucket profile to allow you to clone the source code with an SSH URL.

Customizing the NameID value

The NameID value included in the SAML assertion is used by the remote SP to identify the end user via account mapping. See How does AM (All versions) use account mapping to identify the end user from a SAML Assertion? for further information.

There may be a need to modify the NameID value to comply with the business requirement of the remote SP. For example, the SP might want the NameID value to include their domain as a suffix; so if the NameID value is 12345, it would become 12345@sp.example.com when passed in the assertion. This change would only affect the one remote SP; the NameID value for other SPs would remain unchanged.

You can customize the NameID value as follows:

  1. Git clone the AM external repository (this repository is required for reference and building your custom class): $ git clone ssh://git@stash.forgerock.org:7999/openam/am-external.git
  2. Check out the relevant branch. For example, 7.0.0: $ cd am-external $ git checkout releases/7.0.0  $ cd openam-federation
  3. Create a new Java project in your IDE.
  4. Add a Maven dependency to your project for the openam-federation-library. For example:<dependency>  <groupId>org.forgerock.am</groupId>   <artifactId>openam-federation-library</artifactId> </dependency>
Note

You must add openam-federation-library as a dependency. The code for this library is located in the repository you cloned in step 1 (am-external/openam-federation/openam-federation-library). You may need to add more dependencies depending on your specific customization.

  1. Create a new custom class that extends the DefaultIDPAccountMapper class, for example, CustomIDPAccountMapper. You should refer to Interface IDPAccountMapper for further information.
  2. Override the getNameID() method to achieve your desired customization. The resulting class would look similar to this: public class CustomIDPAccountMapper extends DefaultIDPAccountMapper{    @Override     public NameID getNameID(Object session, String hostEntityID, String remoteEntityID, String realm, String nameIDFormat) throws SAML2Exception {         NameID myNameID= super.getNameID(session, hostEntityID, remoteEntityID, realm, nameIDFormat);         if ("http://sp.example.com:38080/openam".equals(remoteEntityID)) {             myNameID.setValue(myNameID.getValue() + "@sp.example.com");         }         return myNameID;     } }
  3. Build a .jar file containing the custom class using the following command:$ mvn clean packageThe project will generate a .jar file containing your custom class in the target directory. For example, am-custom-mapper-7.0.0.jar.
  4. Copy the .jar file to the WEB-INF/lib/ folder where AM is deployed. For example:$ cp am-custom-mapper-7.0.0.jar /path/to/tomcat/webapps/openam/WEB-INF/lib/
  5. Update the configuration for the Hosted IdP with your new custom class:
    • AM 6 and later console: navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers  > [Hosted IdP Name] > Assertion Processing > Account Mapper and replace the default class with the fully qualified name of your custom class.
    • AM 5.x console: navigate to Realms > [Realm Name] > Applications > SAML > Circle of Trust Configuration > Entity Providers > [Hosted IdP Name] > Assertion Processing > Account Mapper and replace the default class with the fully qualified name of your custom class.
  6. Restart the web application container in which AM runs.
  7. Test your changes.

The resulting assertion will show the modified NameID for the applicable SP. If you used the above snippet of code, this would mean you only see changes for http://sp.example.com, but not for other SPs.

See Also

How do I customize SAML2 plugins in AM (All versions)?

SAML Federation in AM

SAML v2.0 Guide › Assertion Processing

API Javadoc › Interface IDPAccountMapper

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.