1

I wanted to capture user attributes coming from SAP IDP(Identity & Authentication tenant service like department,salutation ,company etc ,via UserAccessor SDK api,but although those attributes are set and has value in IDP user and all the integration with IDP and sub account is in place post authentication ,user attributes object is empty ,i am only able to retrieve specific attributes like first names ,last name,email address ,user groups etc via JWT and UserAccessor api ,but no luck with other attributes ,in IDP i have mentioned these attributes as well under assertion attributes in SAP Identity authentication tenant .

Please guide and help in this matter .

Thanks Siddharth

SCD
  • 89
  • 2
  • 10
  • Please refer to https://stackoverflow.com/questions/53858644/accessing-user-attributes-using-useraccessor – Sander Wozniak Jul 12 '19 at 11:26
  • thanks Sander but iam not getting any value in us by following this approach : UserAttribute ua = optionalfirstName.get(); so remaining code in the thread does not work – SCD Jul 15 '19 at 07:09
  • once i have value in JWT this apis are working ,very well explained ,this helped me resolving the issue ,thanks Sander for your valuable help and inputs – SCD Jul 19 '19 at 08:38

1 Answers1

3

Update: As we have now identified the problem, I will update my answer to reflect that. The original answer below is outdated:

Okay so the problem is that you haven't mapped any additional user attributes from your Identity Provider (IdP) to your JWT. As far as I'm aware there are three things you will need to do:

  1. You need to create attributes in your xs-security.json (the file you used to configure your XSUAA service instance). This documentation should explain how to do that.
  2. You need to configure which attributes are exposed by your IdP (in your case the SAP Identity & Authentication service. This documentation looks like a good place to start looking).
  3. You need to map the attributes exposed by your IdP to the attributes defined in your xs-security.json. You will probably need to reconfigure (i.e. delete, recreate and rebind) your XSUAA service instance with the updated config, before you can do this step. Then, navigate to your application in the Cloud Platform Cockpit, from the left toolbar click "Security > Roles" and create your mapping.

Let me know if this works for you!

Original Answer:

As far as I'm aware the default IdP does not support SAML. Without SAML, I'm not sure whether you can propagate any attributes from your IdP into the JWT.

Please also check out this discussion for more information.

Dennis H
  • 589
  • 4
  • 10
  • thanks Dennis , i am using SAP identity & Authentication service which supports SAML ,have filled few additional attributes in user like department,salutation etc but in Useraccessor Api nothing is being captured – SCD Jul 15 '19 at 07:11
  • Can you provide additional information? Without any code or logs or configs it's hard to diagnose the problem. – Dennis H Jul 15 '19 at 07:37
  • Optional opUa = UserAccessor.getCurrentUser().getAttribute("first_name"); UserAttribute ua = opUa.get(); <--*this line throws no such element exception* if( ua instanceof SimpleUserAttribute ) { String value = (String) ((SimpleUserAttribute>)ua).getValue(); } else if ( ua instanceof CollectionUserAttribute ) { Collection> values = ((CollectionUserAttribute>)ua).getValues(); – SCD Jul 15 '19 at 08:08
  • please note that iam abl to retrive user name via this but not with attributes :UserAccessor.getCurrentUser().getName() – SCD Jul 15 '19 at 08:11
  • Can you please check the result of `AuthTokenAccessor.getCurrentToken().get().getJwt().getPayload()`? This shows you the "raw" JWT. If the values are in there, there might be a problem in your code. If they are missing, there is probably a problem with your mapping. – Dennis H Jul 15 '19 at 11:23
  • JWT payload also shows empty values for user attributes ,i am using SAP identity and authentication tenant , there i don't have any option to define application mapping for attributes ,only option i have is to define assertion attributes and on SCP sub account level over cloud foundry there i no option to map these assertion attributes to application ,how this will work on scp cloud foundry – SCD Jul 15 '19 at 15:39
  • Hi Dennis, I referred the stack over flow thread you mentioned,i am facing two problems if i add attributes in xs-security.json file and build and deploy my MTA it throws error on deployment and say that attributes needs to be define,if i define attributes in xs securty file it throes error that attributes should contain default value or take values automatically ,i believe this solution is for neo account how i can make this work on cloud foundry – SCD Jul 16 '19 at 07:30
  • I edited my answer, please check it out and see if it helps you. – Dennis H Jul 17 '19 at 07:28
  • thanks Denis i am unable to add attributes to security file ,it builds fine but during MTA deployment it throws this error:Unexpected error: 502 Bad Gateway: Service broker error: Error updating application test1!t7251 (Sorry, attributes can only be added to existing role templates, if they either define default values or the attribute itself does not require a value.) – SCD Jul 17 '19 at 14:08
  • I have no experience with MTA, so I can only guess here... Have you really deleted your service and recreated it? Have you tried creating a new role template? According to the error message you're adding to an existing one – Dennis H Jul 17 '19 at 14:35
  • Appreciate your help in this matter , it does not work through webide ,i had to unbind the instance ,delete and recreate it through command line ,from MTA automatic configuration update does not happen seems like a bug ,will keep you posted on further steps – SCD Jul 17 '19 at 14:57
  • very well explained ,this helped me resolving the issue ,thanks Dennis for your valuable help and inputs – SCD Jul 19 '19 at 08:38