SPIKE: for BCeID user, can we get first name, last name and email information from the attribute mapping

[MCatherine1994]

Describe the task Check if the BCeID attribute mapping can be updated to include first name, last name and email information in the token.

Acceptance Criteria

• [x] Find out if it's possible to update the attribute mapping
• [ ] Check Cognito attributes that need to be updated
• [ ] Check Pathfinder SSO attributes that need to be updated

Additional context

• Add any other context about the task here.
• Or here

[ianliuwk1019]

Based on SSO Identity Provider Attribute Mapping. (First Name/Last Name) will not be provided for BCeID account.

Based on SSO documentation, it's not possible for BCeID user to map First Name and Last Name into the token. Perhaps, for "business" BCeID, first name and last name don't make sense. We may consider using "Business Legal Name" or "Display Name".

Which would mean, if we like to display on our user table (UI), we may consider 3 columns (not sure if that will be too many columns):

• IDIR user: first_name, last_name,
• BCeID user: custom:idp_business_name @OlgaLiber2 @MCatherine1994

[OlgaLiber2]

@ianliuwk1019 we need to find out then how we can display first and last names of BCeID users. Business name does not make sense in this case.

[ianliuwk1019]

@ianliuwk1019 we need to find out then how we can display first and last names of BCeID users. Business name does not make sense in this case.

Ah~ yes, I forgot our search does contain first name and last name; so we can only get from our IDIM search, since they are not provided from Cognito/Pathfinder SSO.

[ianliuwk1019]

Reply from Conrad:

[OlgaLiber2]

@ianliuwk1019 whatever we need to do to make it happen. Does it make sense to get Conrad to help us with it?

[ianliuwk1019]

Also confirmed with SSO team. These fields are not available and can't be customizable.

[ianliuwk1019]

Hi @OlgaLiber2 I think we are trying to exploring the possibility to get first_name and last_name from Cognito for BCeID users. The purpose I think is that we can get these information from the token so we can update into our FAM user table when user login again. Since that's not possible from the Pathfinder SSO, we could still update to our FAM user table since we have the IDIM search already (it just a bit inconvenient).

If we would have to have these information in the BCeID user token for some more critical business reasons, and as Conrad said to skip Pathfinder SSO and go directly to SiteMinder, that would be a architectural change on design and also big implementation change I think, also some political issues Conrad mentioned. @basilv

[ianliuwk1019]

Closed this spike as it is confirmed we will not be able to get these attributes from Pathfinder SSO; mentioned and discussed with team.

[ianliuwk1019]

Provide more background of the reasons why SSO Pathfinder does not provide first/last names (from Conrad): FYI @OlgaLiber2

[OlgaLiber2]

Thanks for closing the loop on this, @ianliuwk1019. Let's update our code to read the attributed directly form BCeID. Let me know what needs to happen next and how I can help. @MCatherine1994

[ianliuwk1019]

Hi @OlgaLiber2 , I am sensing maybe that bring confusion to you.

For our FAM, our code don't need to worry getting first/last names as we already can get these information for IDIR/BCeID users from IDIM web service. We tried to explore if we could get this from Cognito (provided by SSO Pathfinder) so that we can provide first/last names in "ID token" and also benefit for use at one-time load (or periodically) refresh our FAM user table.

For displaying first/last names in FAM for frontend manage-permission page (or other pages), they will be coming from our user table (which we will record first/last names in our database, through IDIM webservice search).

We can create a ticket to explore integration through SiteMinder (I think that's what I understand, the source of truth, for directly from BCeID) for Cognito integration, to bypass SSO Pathfinder; but without this, it does not impact our code to be done.

But, there is one concerns, it seems to me, other teams cannot rely on the ID token "displayName" as suggested (to split it into first/last names), and if the recommended approach is for other teams also to integrate search through IDIM webservice, it might be too much for other teams to do that (if they don't currently have that search ability or policy agreement with IDIM). @basilv

[basilv]

We could potentially augment our tokens with first/last name from our database.

[ianliuwk1019]

Thanks @basilv !! Yes, that's what I have been thinking about the possibility. After we have the cron job to refreshing our FAM user table, at the same time we can grab the first/last name and update them. Except the very first login and before the cron job run, then the token will have no first/last name values. However, hopefully the post-auth won't reach the Cognito timeout limit and, I am not clear if the post-auth can add these attributes to ID Token (currently if I understand is on Access Token).

[ianliuwk1019]

Ahhh~~ I read further and got what you meant ("augment our token") @basilv ! We can customize ID Token using "Pre token generation Lambda trigger" to supply the first/last names to ID Token.