Open bl000m opened 10 months ago
Hi @bl000m,
Hello, I have 2 questions related to user attributes and roles in Indigo IAM, I hope you can help. Thank you in advance
1. Renater User attributes retrieval
When a user authenticates with Renater and registers on the Indigo IAM using the test account
etudiant1
, they are prompted to manually input attributes such as given name, family name, email, etc. Is there a method to automatically detect and populate these attributes( below the fake attributes provided by Renater foretudiant1
) from the Renater profile?Example Scenario:
* User logs in with Renater credentials. * Redirected to IAM Indigo for registration. * Attributes (given name, family name, etc.) are manually entered. * Is there an automated way to fetch these attributes from the Renater profile?
You can configure it, by adding in your application-*.yml
file the following section:
iam:
registration:
samlEntityId: ${IAM_SAML_IDP_METADATA}
authentication-type: saml
fields:
name:
read-only: false
external-auth-attribute: given_name
surname:
read-only: false
external-auth-attribute: family_name
email:
read-only: false
external-auth-attribute: email
username:
read-only: false
external-auth-attribute: suggested_username
Note that the attribute names (given_name
, etc) are derived from the SAML assertion that is returned after authentication with an external provider. Sometimes, for instance, some assertions return preferred_username
rather than suggested_username
. You can later verify this at the /iam/authn-info
endpoint after logging in with your IdP.
I think this last sentence also partly answers the second question.
2. User role (admin or not, group admin or not) and attributes Retrieval
It's unclear how to retrieve the roles of users registered on the IAM Indigo instance. Additionally, if attributes are added or updated for a user, what is the process for retrieving the updated information?
Example Scenario:
* User attributes or roles are modified in the IAM Indigo instance. * How can the client retrieve the updated information? * How can the roles associated with a user be queried programmatically?
Fake attributes provided by Renater for
etudiant1
* Attribut (a↓z) Valeur cn Dupont Jean displayName Jean Dupont eduPersonAffiliation student;member eduPersonNickname Jean eduPersonOrgDN dc=renater,dc=fr eduPersonOrgUnitDN o=maths,dc=renater,dc=fr eduPersonPrimaryAffiliation student eduPersonPrimaryOrgUnitDN o=maths,dc=renater,dc=fr eduPersonPrincipalName etudiant1@test-renater.fr eduPersonScopedAffiliation student@test-renater.fr;member@test-renater.fr eduPersonTargetedID https://test-idp.federation.renater.fr/idp/shibboleth!https://test-sp.federation.renater.fr!G7RU5R5PVWO2EQKBIO3ZHOMTQEQ2MO6J facsimileTelephoneNumber 0102030405 givenName Jean l Paris labeledURI http://example.org/dupont mail jean.dupont@formation.renater.fr mailForwardingAddress jeanperso@example.org o formation.renater.fr ou maths pairwise-id G7RU5R5PVWO2EQKBIO3ZHOMTQEQ2MO6J@test-renater.fr postalAddress 1 rue de Paris$12345 Ville preferredLanguage FR schacHomeOrganization test-renater.fr schacHomeOrganizationType urn:schac:homeOrganizationType:int:nren schacPersonalUniqueCode urn:schac:personalUniqueCode:int:esi:fr:1234567890G sn Dupont subject-id etudiant1@test-renater.fr supannActivite {CNU}5404 supannAutreMail etud1@fai1.fr;etud2@fai2.fr supannAutreTelephone 1234567890 supannCMSType etudiant supannCivilite Mr supannCodeINE 1234567890G supannEntiteAffectation z-123;z-124 supannEntiteAffectationPrincipale z-123 supannEtablissement {ILN}1-341725201;{AUTRE}formation.renater.fr supannEtuAnneeInscription 2008 supannEtuCursusAnnee {SUPANN}L3 supannEtuDiplome {SISE}2001350 supannEtuElementPedagogique {UAI:0171463Y}4929 supannEtuEtape {UAI:0171463Y}401 supannEtuId 12345 supannEtuInscription [etab={UAI}0131843H][anneeinsc=2007][regimeinsc={SISE}10][sectdisc={SISE}04][typedip={SISE}YA][cursusann=D3][affect=56R17][diplome={SISE}2001099][etape={UAI:0131843H}B8EFAI-B8EFA3] supannEtuRegimeInscription {SISE}10 supannEtuSecteurDisciplinaire {SISE}27 supannEtuTypeDiplome {SISE}DC supannListeRouge FALSE supannMailPerso jeanperso@example.org supannNomDeNaissance Dupont supannOIDCDateDeNaissance 1993-02-04 supannOIDCGenre male supannPrenomsEtatCivil Jean Pierre supannRefId {INE}1234567890G;{APOGEE}12345 supannRessourceEtat {MAIL}I:SupannExpire;{COMPTE}A supannRessourceEtatDate {COMPTE}I:SupannExpire:20211212:20220612;{COMPTE}A:SupannSursis:20210912:20211212;{COMPTE}A::20180115: supannRoleEntite [role=PRESIDENT][type=CONSEIL-ETUDIANT] supannRoleGenerique PRESIDENT-CONSEIL-ETUDIANT telephoneNumber +33 1 23 45 67 89 title M. uid etudiant1
Also, other user info, like roles, attributes, etc., can be obtained via IAM account API. Only Admins can access this API, but starting from IAM v1.8.2 access is based on the iam:admin.read
and iam:admin.write
scopes (no longer based on roles).
Ref. https://indigo-iam.github.io/v/v1.8.2/docs/reference/api/account-api/
Hi @rmiccoli,
Thanks for your response. I'm a bit unsure where to add the .yml file exactly.
I've realized my initial questions may not have been clear. I made a quick video to help explain: Video Link
In the video, you'll see that the Renater test user is asked to register before being redirected to the client callback. So I wonder how the config .yml could fix the problem, may you clarify that ?
I also have another question. After a user is prompted to register in the Indigo IAM instance, can I customize it by showing an alert like "Your request has been sent for approval. You'll be notified once it's validated. Feel free to leave this page. See you soon."? Or it would be even better if we should skip the admin approval for the user if he's affiliated with the entity corresponding to the research infrastructure for which the Indigo IAM Instance is meant. Would it be possible?
For the second question, here's an example scenario for clarification:
Thanks for your help
Hi @rmiccoli,
Thanks for your response. I'm a bit unsure where to add the .yml file exactly.
I've realized my initial questions may not have been clear. I made a quick video to help explain: Video Link
In the video, you'll see that the Renater test user is asked to register before being redirected to the client callback. So I wonder how the config .yml could fix the problem, may you clarify that ?
If you use a docker container, you can mount the file in the default directory /indigo-iam/config
.
If your file is named application-pippo.yml
, remember to set the profile pippo
in the IAM_JAVA_OPTS
env variable.
e.g
IAM_JAVA_OPTS=-Dspring.profiles.active=pippo
I also have another question. After a user is prompted to register in the Indigo IAM instance, can I customize it by showing an alert like "Your request has been sent for approval. You'll be notified once it's validated. Feel free to leave this page. See you soon."? Or it would be even better if we should skip the admin approval for the user if he's affiliated with the entity corresponding to the research infrastructure for which the Indigo IAM Instance is meant. Would it be possible?
No, it is not possible at the moment. We have some work ready on autoprovisioning but there are bugs to work out.
For the second question, here's an example scenario for clarification:
* A user with no admin role logs into FITS via Indigo IAM. * How can I find out their role to prevent access to admin features if they can't access the account API?
Thanks for your help
If I understood correctly your question, an authenticated user can only access their own info (attributes, authorities) through web interface.
e.g. https://<your-iam-instance>/iam/me/authorities
or https://<your-iam-instance>/iam/account/<uuid>/attributes
Thank you @rmiccoli,
I have a docker compose that mounts on iam-login-service the files generated from other containers.
IAM_JAVA_OPTS
as follows: IAM_JAVA_OPTS=-Dspring.profiles.active=prod,oidc,saml,registration,renater
But still the renater test user is promt for manually add his data in the registration form. where I'm wrong?
NB: thanks for the other question, I think it's clear now
jwtk_generator:
build:
context: ./Docker/jwtk_generator
container_name: jwtk_generator
env_file:
- .env
volumes:
- jwtk_gen:/app
command: tail -f /dev/null
networks:
- default
restart: unless-stopped
cert_generator:
build:
context: ./Docker/cert_generator
args:
- IAM_SAML_KEY_PASSWORD=${IAM_SAML_KEY_PASSWORD}
- IAM_HOST=${IAM_HOST}
container_name: cert_generator
volumes:
- cert_gen:/certs
env_file:
- .env
command: tail -f /dev/null
networks:
- default
restart: unless-stopped
iam-login-service:
image: indigoiam/iam-login-service
container_name: iam-login-service
ports:
- 8080:8080
env_file:
- .env
volumes:
- ./DB/mariadb_data_iam_db:/var/lib/mysql
- ./Tokens/keystore.jwks:/keystore.jwks
- ./Certs/self-signed.jks:/self-signed.jks
- ./Conf/application-renater.yml:/application-renater.yml
restart: unless-stopped
depends_on:
- mariadb_iam_db
- jwtk_generator
#- cert_generator
networks:
- default
Please replace - ./Conf/application-renater.yml:/application-renater.yml
with - ./Conf/application-renater.yml:/indigo-iam/config/application-renater.yml
and be sure that in the IAM log you have something like
2023-11-17 10:34:36.584 INFO 368629 --- [ restartedMain] it.infn.mw.iam.IamLoginService : The following ... profiles are active: "renater", ...
I did it. I have this IAM log: The following 7 profiles are active: "prod", "mysql", "flyway-repair", "oidc", "saml", "registration", "renater"
but still the user from renater is asked to manually register
To check: if I try:
sudo docker exec -it iam-login-service bash
cat ./config/application-renater.yml
=> I have:
iam:
registration:
samlEntityId: ${IAM_SAML_IDP_METADATA}
authentication-type: saml
fields:
name:
read-only: false
external-auth-attribute: given_name
surname:
read-only: false
external-auth-attribute: family_name
email:
read-only: false
external-auth-attribute: email
username:
read-only: false
external-auth-attribute: suggested_username
If I try:
env | grep IAM_SAML_IDP_METADATA
=> I well find: IAM_SAML_IDP_METADATA=http://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
What I do wrong ? thanks
Once you get to the login form, can you please verify that you can see the attributes given_name
, etc., at the /iam/authn-info
endpoint?
At the /iam/authn-info
endpoint I see this (only suggested_username
is not null):
{
"type": "SAML",
"issuer": "https://test-idp.federation.renater.fr/idp/shibboleth",
"subject": "lecteur1@test-renater.fr",
"subject_attribute": "urn:oid:1.3.6.1.4.1.5923.1.1.1.13",
"email": null,
"given_name": null,
"family_name": null,
"suggested_username": "lecteur1@test-renater.fr",
"additional_attributes": {
"EPPN": "lecteur1@test-renater.fr",
"EPUID": "lecteur1@test-renater.fr",
"type": "saml",
"idpEntityId": "https://test-idp.federation.renater.fr/idp/shibboleth"
}
}
At the
/iam/authn-info
endpoint I see this (onlysuggested_username
is not null):{ "type": "SAML", "issuer": "https://test-idp.federation.renater.fr/idp/shibboleth", "subject": "lecteur1@test-renater.fr", "subject_attribute": "urn:oid:1.3.6.1.4.1.5923.1.1.1.13", "email": null, "given_name": null, "family_name": null, "suggested_username": "lecteur1@test-renater.fr", "additional_attributes": { "EPPN": "lecteur1@test-renater.fr", "EPUID": "lecteur1@test-renater.fr", "type": "saml", "idpEntityId": "https://test-idp.federation.renater.fr/idp/shibboleth" } }
It means that Renater
IdP does not provide those attributes, but you should at least see the username
field filled out with value lecteur1@test-renater.fr
in the registration form.
If you use the student profile, you should get those attributes (I took a look at https://services.renater.fr/federation/en/outils/outils-de-test/idp-de-test).
At the
/iam/authn-info
endpoint I see this (onlysuggested_username
is not null):{ "type": "SAML", "issuer": "https://test-idp.federation.renater.fr/idp/shibboleth", "subject": "lecteur1@test-renater.fr", "subject_attribute": "urn:oid:1.3.6.1.4.1.5923.1.1.1.13", "email": null, "given_name": null, "family_name": null, "suggested_username": "lecteur1@test-renater.fr", "additional_attributes": { "EPPN": "lecteur1@test-renater.fr", "EPUID": "lecteur1@test-renater.fr", "type": "saml", "idpEntityId": "https://test-idp.federation.renater.fr/idp/shibboleth" } }
It means that
Renater
IdP does not provide those attributes, but you should at least see theusername
field filled out with valuelecteur1@test-renater.fr
in the registration form.
Yes I do see the username field but it's mapped on eduPersonPrincipalName, how can I map it on displayName? All the other fields are empty. Actually Renater should provide all the attributes (see above in the first message I posted the fake attributes provided by Renater for etudiant1 or in the link you gave a look at - https://services.renater.fr/federation/en/outils/outils-de-test/idp-de-test - click on our test service provider
than federation de test
, you can login with the etudiant1
credentials to check the attributes)
Thanks for your help.
Yes, actually I can see them also by authenticating with the authorized reader profile credentials. The fact that you see the username mapped on eduPersonPrincipalName is due to an IAM internal mapping:
SAML -> IAM
given_name
family_name
email
suggested_username
The other SAML attributes are published under additional_attributes
claim. They include the commonName
(cn), not the displayName
, so you could change the configuration by replacing the suggested_username
with CN
.
The weird thing is that the other attributes, like CN
, are not shown (or are null) even if they are present. I'll investigate further.
Hello, I have 2 questions related to user attributes and roles in Indigo IAM, I hope you can help. Thank you in advance
1. Renater User attributes retrieval
When a user authenticates with Renater and registers on the Indigo IAM using the test account
etudiant1
, they are prompted to manually input attributes such as given name, family name, email, etc. Is there a method to automatically detect and populate these attributes( below the fake attributes provided by Renater foretudiant1
) from the Renater profile?Example Scenario:
2. User role (admin or not, group admin or not) and attributes Retrieval
It's unclear how to retrieve the roles of users registered on the IAM Indigo instance. Additionally, if attributes are added or updated for a user, what is the process for retrieving the updated information?
Example Scenario:
Fake attributes provided by Renater for
etudiant1