How do I customize the default SAML2 IdP attribute mapper in AM/OpenAM (All versions)?

How To

Last updated Jul 9, 2018

The purpose of this article is to provide information on customizing the default SAML2 attribute mapper for the hosted IdP in AM/OpenAM. This is achieved by extending the DefaultLibraryIDPAttributeMapper class that implements the IDPAttributeMapper interface.

2 readers recommend this article

Overview

If you want to customize the default attribute mapper, for example to map a LDAP attribute name and value to a custom format for a specific SP, you can do this by implementing a custom IDPAttributeMapper. This is achieved by extending the DefaultLibraryIDPAttributeMapper class. This class is available from the openam-federation-library-<version>.jar file located in the WEB-INF/lib directory of the AM/OpenAM WAR file. You can find this class in the following path within the jar file: com/sun/identity/saml2/plugins.

Caution

Disclaimer for the following code, please review before implementing these changes. This code is just a sample; it does not include best practice for Java® code (such as error handling) and will need customizing to fit your use case. Customizing SAML2 plugins is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Professional Services.

Customizing the default IdP attribute mapper

You can customize the default IdP attribute mapper as follows:

Unpack the AM/OpenAM WAR file and extract the openam-federation-library-<version>.jar file.
Create a new custom class that extends the DefaultLibraryIDPAttributeMapper class, for example, CustomIDPAttributeMapper. You should refer to Interface IDPAttributeMapper for further information.

Override the getAttributes() method to achieve your desired customization. The resulting class would look similar to this:

public class CustomIDPAttributeMapper extends DefaultLibraryIDPAttributeMapper {
    /**
    * comments to be made here
     */
    @Override
    public List getAttributes (
        Object session, 
        String hostEntityID, 
        String remoteEntityID, 
        String realm){
        
    List<Attribute> attributes = 
        super.getAttributes (session, hostEntityID, remoteEntityID, realm);
        
    if ("http://sp.example.com:38080/openam".equals(remoteEntityID)) {
            //modify attribute list here
        }  
        
    return attributes;
    }
}

Repack the openam-federation-library-<version>.jar with your new custom class.
Add your customization to the AM/OpenAM WAR file:
- Replace the existing jar file in the WEB-INF/lib directory with your customized jar file.
- Repack the AM/OpenAM WAR file and deploy as normal.
Update the configuration for the Hosted IdP with your new custom class:
- AM 6 and later console: navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers > [Hosted IdP Name] > Assertion Processing > Attribute Mapper and replace the default class with your custom class.
- AM 5.x console: navigate to Realms > [Realm Name] > Applications > SAML > Circle of Trust Configuration > Entity Providers > [Hosted IdP Name] > Assertion Processing > Attribute Mapper and replace the default class with your custom class.
- Pre-AM 5 console: navigate to Federation > Circle of Trust Configuration > Entity Providers > [Hosted IdP Name] > Assertion Processing > Attribute Mapper and replace the default class with your custom class.
Restart the web application container in which AM/OpenAM runs.
Test your changes.

Related Training

N/A

Related Issue Tracker IDs

OPENAM-11474 (Custom IDP Attribute mappers may cause failures after upgrade)

OPENAM-9143 (SAML IdP attribute mappers should work with profile attributes even when the user profile mode is set to dynamic)

OPENAM-4550 (document how to build and use a custom SAML IdP/SP Attribute Mapper)