How do I customize the default SAML2 IdP attribute mapper in AM/OpenAM (All versions)?
The purpose of this article is to provide information on customizing the default SAML2 attribute mapper for the hosted IdP in AM/OpenAM. This is achieved by extending the DefaultLibraryIDPAttributeMapper class that implements the IDPAttributeMapper interface.
1 reader recommends this article
Overview
If you want to customize the default attribute mapper, for example to map a LDAP attribute name and value to a custom format for a specific SP, you can do this by implementing a custom IDPAttributeMapper. This is achieved by extending the DefaultLibraryIDPAttributeMapper class. This class is available from the openam-federation-library-<version>.jar file located in the WEB-INF/lib directory of the AM/OpenAM WAR file. You can find this class in the following path within the jar file: com/sun/identity/saml2/plugins.
Caution
Disclaimer for the following code, please review before implementing these changes. This code is just a sample; it does not include best practice for Java® code (such as error handling) and will need customizing to fit your use case. Customizing SAML2 plugins is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.
Customizing the default IdP attribute mapper
You can customize the default IdP attribute mapper as follows:
- Unpack the AM/OpenAM WAR file and extract the openam-federation-library-<version>.jar file.
- Create a new custom class that extends the DefaultLibraryIDPAttributeMapper class, for example, CustomIDPAttributeMapper. You should refer to Interface IDPAttributeMapper for further information.
- Override the getAttributes() method to achieve your desired customization. The resulting
class would look similar to this:
public class CustomIDPAttributeMapper extends DefaultLibraryIDPAttributeMapper { /** * comments to be made here */ @Override public List getAttributes ( Object session, String hostEntityID, String remoteEntityID, String realm){ List<Attribute> attributes = super.getAttributes (session, hostEntityID, remoteEntityID, realm); if ("http://sp.example.com:38080/openam".equals(remoteEntityID)) { //modify attribute list here } return attributes; } } - Repack the openam-federation-library-<version>.jar with your new custom class.
- Add your customization to the AM/OpenAM WAR file:
- Replace the existing jar file in the WEB-INF/lib directory with your customized jar file.
- Repack the AM/OpenAM WAR file and deploy as normal.
- Update the configuration for the Hosted IdP with your new custom class:
- AM 6 and later console: navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers > [Hosted IdP Name] > Assertion Processing > Attribute Mapper and replace the default class with your custom class.
- AM 5.x console: navigate to Realms > [Realm Name] > Applications > SAML > Circle of Trust Configuration > Entity Providers > [Hosted IdP Name] > Assertion Processing > Attribute Mapper and replace the default class with your custom class.
- Pre-AM 5 console: navigate to Federation > Circle of Trust Configuration > Entity Providers > [Hosted IdP Name] > Assertion Processing > Attribute Mapper and replace the default class with your custom class.
- Restart the web application container in which AM/OpenAM runs.
- Test your changes.
See Also
How do I customize SAML2 plugins in AM/OpenAM (All versions)?
Related Training
N/A
Related Issue Tracker IDs
OPENAM-11474 (Custom IDP Attribute mappers may cause failures after upgrade)
OPENAM-4550 (document how to build and use a custom SAML IdP/SP Attribute Mapper)