Use case: Propagating arbitrary non-persistent strings attributes with the Generic ID Propagator

Authentication flow steps may store arbitrary non-persistent key-strings pairs (= strings that are not stored in the IAM database) in the flow session. The key-string pairs are available in the identity propagation, i.e., they may be sent to back-end applications.

This article describes how to propagate key-string pairs using the Generic ID Propagator plugin.

The possibility to store arbitrary non-persistent string values in the authentication flow session has originally been implemented for attributes extracted from SAML assertions (IAM as SAML SP). Future IAM flow steps, as well as custom code, may store other string attributes in the authentication flow session.

Prerequisites

  • One or more authentication flow steps store non-persistent key-string pairs in the authentication flow session.
  • A Generic ID Propagator plugin is configured as an identity propagator in the affected target application.
  • The identity propagator uses Ticket String Provider plugins that support value providers. In the example, the plugin Ticket String Provider is used.

Configuration for a single key-string pair

  1. Go to:
    Loginapp >> Applications and Authentication >> affected application
  2. In property Identity Propagation, open the Generic ID Propagator plugin.
  3. In property Ticket String Provider, create and edit the Ticket String Provider plugin (or similar plugin supporting value providers).
  4. In property Value Providers, create and edit a Value Provider Map plugin or edit the plugin, if it is already in the list.
  5. In property Value Providers, create a new plugin of the type Container Flow Attribute String Provider and choose a Key to reference it later.
  6. In the Container Flow Attribute String Provider, reference the value to be chosen from the flow string container.
  7. The selected value is now available through the Generic ID Propagator under the specified key and can be used for further processing in the configured ticket string provider.

Configuration for multiple key-string pairs

  1. Go to:
    Loginapp >> Applications and Authentication >> affected application >> Identity Propagation >> Generic ID Propagator >> Ticket String Provider (or other Ticket String Provider supporting value providers).
  2. Add the Container Flow Attribute Value Map Provider to the list of Value Providers. It adds all non-persistent key-string pairs from the authentication flow session to the values.
  3. All key-string values are now available and can be used for further processing in the configured ticket string provider.

Values provided by other value provider plugins may get overwritten. To avoid this, choose unique keys (when storing the key-string attributes in the session or using the configuration option further above).