indigo-iam
Clarification Needed: Unclear process for automatic retrieval of Renater user attributes and querying roles in IAM Indigo
Hello, I have 2 questions related to user attributes and roles in Indigo IAM, I hope you can help. Thank you in advance
1. Renater User attributes retrieval
When a user authenticates with Renater and registers on the Indigo IAM using the test account etudiant1, they are prompted to manually input attributes such as given name, family name, email, etc. Is there a method to automatically detect and populate these attributes( below the fake attributes provided by Renater for etudiant1) from the Renater profile?
Example Scenario:
- User logs in with Renater credentials.
- Redirected to IAM Indigo for registration.
- Attributes (given name, family name, etc.) are manually entered.
- Is there an automated way to fetch these attributes from the Renater profile?
2. User role (admin or not, group admin or not) and attributes Retrieval
It's unclear how to retrieve the roles of users registered on the IAM Indigo instance. Additionally, if attributes are added or updated for a user, what is the process for retrieving the updated information?
Example Scenario:
- User attributes or roles are modified in the IAM Indigo instance.
- How can the client retrieve the updated information?
- How can the roles associated with a user be queried programmatically?
Fake attributes provided by Renater for etudiant1
*
Attribut (a↓z) Valeur
cn Dupont Jean
displayName Jean Dupont
eduPersonAffiliation student;member
eduPersonNickname Jean
eduPersonOrgDN dc=renater,dc=fr
eduPersonOrgUnitDN o=maths,dc=renater,dc=fr
eduPersonPrimaryAffiliation student
eduPersonPrimaryOrgUnitDN o=maths,dc=renater,dc=fr
eduPersonPrincipalName [email protected]
eduPersonScopedAffiliation [email protected];[email protected]
eduPersonTargetedID https://test-idp.federation.renater.fr/idp/shibboleth!https://test-sp.federation.renater.fr!G7RU5R5PVWO2EQKBIO3ZHOMTQEQ2MO6J
facsimileTelephoneNumber 0102030405
givenName Jean
l Paris
labeledURI http://example.org/dupont
mail [email protected]
mailForwardingAddress [email protected]
o formation.renater.fr
ou maths
pairwise-id [email protected]
postalAddress 1 rue de Paris$12345 Ville
preferredLanguage FR
schacHomeOrganization test-renater.fr
schacHomeOrganizationType urn:schac:homeOrganizationType:int:nren
schacPersonalUniqueCode urn:schac:personalUniqueCode:int:esi:fr:1234567890G
sn Dupont
subject-id [email protected]
supannActivite {CNU}5404
supannAutreMail [email protected];[email protected]
supannAutreTelephone 1234567890
supannCMSType etudiant
supannCivilite Mr
supannCodeINE 1234567890G
supannEntiteAffectation z-123;z-124
supannEntiteAffectationPrincipale z-123
supannEtablissement {ILN}1-341725201;{AUTRE}formation.renater.fr
supannEtuAnneeInscription 2008
supannEtuCursusAnnee {SUPANN}L3
supannEtuDiplome {SISE}2001350
supannEtuElementPedagogique {UAI:0171463Y}4929
supannEtuEtape {UAI:0171463Y}401
supannEtuId 12345
supannEtuInscription [etab={UAI}0131843H][anneeinsc=2007][regimeinsc={SISE}10][sectdisc={SISE}04][typedip={SISE}YA][cursusann=D3][affect=56R17][diplome={SISE}2001099][etape={UAI:0131843H}B8EFAI-B8EFA3]
supannEtuRegimeInscription {SISE}10
supannEtuSecteurDisciplinaire {SISE}27
supannEtuTypeDiplome {SISE}DC
supannListeRouge FALSE
supannMailPerso [email protected]
supannNomDeNaissance Dupont
supannOIDCDateDeNaissance 1993-02-04
supannOIDCGenre male
supannPrenomsEtatCivil Jean Pierre
supannRefId {INE}1234567890G;{APOGEE}12345
supannRessourceEtat {MAIL}I:SupannExpire;{COMPTE}A
supannRessourceEtatDate {COMPTE}I:SupannExpire:20211212:20220612;{COMPTE}A:SupannSursis:20210912:20211212;{COMPTE}A::20180115:
supannRoleEntite [role=PRESIDENT][type=CONSEIL-ETUDIANT]
supannRoleGenerique PRESIDENT-CONSEIL-ETUDIANT
telephoneNumber +33 1 23 45 67 89
title M.
uid etudiant1
Hi @bl000m,
Hello, I have 2 questions related to user attributes and roles in Indigo IAM, I hope you can help. Thank you in advance
1. Renater User attributes retrieval
When a user authenticates with Renater and registers on the Indigo IAM using the test account
etudiant1, they are prompted to manually input attributes such as given name, family name, email, etc. Is there a method to automatically detect and populate these attributes( below the fake attributes provided by Renater foretudiant1) from the Renater profile?Example Scenario:
* User logs in with Renater credentials. * Redirected to IAM Indigo for registration. * Attributes (given name, family name, etc.) are manually entered. * Is there an automated way to fetch these attributes from the Renater profile?
You can configure it, by adding in your application-*.yml file the following section:
iam:
registration:
samlEntityId: ${IAM_SAML_IDP_METADATA}
authentication-type: saml
fields:
name:
read-only: false
external-auth-attribute: given_name
surname:
read-only: false
external-auth-attribute: family_name
email:
read-only: false
external-auth-attribute: email
username:
read-only: false
external-auth-attribute: suggested_username
Note that the attribute names (given_name, etc) are derived from the SAML assertion that is returned after authentication with an external provider. Sometimes, for instance, some assertions return preferred_username rather than suggested_username. You can later verify this at the /iam/authn-info endpoint after logging in with your IdP.
I think this last sentence also partly answers the second question.
2. User role (admin or not, group admin or not) and attributes Retrieval
It's unclear how to retrieve the roles of users registered on the IAM Indigo instance. Additionally, if attributes are added or updated for a user, what is the process for retrieving the updated information?
Example Scenario:
* User attributes or roles are modified in the IAM Indigo instance. * How can the client retrieve the updated information? * How can the roles associated with a user be queried programmatically?Fake attributes provided by Renater for
etudiant1* Attribut (a↓z) Valeur cn Dupont Jean displayName Jean Dupont eduPersonAffiliation student;member eduPersonNickname Jean eduPersonOrgDN dc=renater,dc=fr eduPersonOrgUnitDN o=maths,dc=renater,dc=fr eduPersonPrimaryAffiliation student eduPersonPrimaryOrgUnitDN o=maths,dc=renater,dc=fr eduPersonPrincipalName [email protected] eduPersonScopedAffiliation [email protected];[email protected] eduPersonTargetedID https://test-idp.federation.renater.fr/idp/shibboleth!https://test-sp.federation.renater.fr!G7RU5R5PVWO2EQKBIO3ZHOMTQEQ2MO6J facsimileTelephoneNumber 0102030405 givenName Jean l Paris labeledURI http://example.org/dupont mail [email protected] mailForwardingAddress [email protected] o formation.renater.fr ou maths pairwise-id [email protected] postalAddress 1 rue de Paris$12345 Ville preferredLanguage FR schacHomeOrganization test-renater.fr schacHomeOrganizationType urn:schac:homeOrganizationType:int:nren schacPersonalUniqueCode urn:schac:personalUniqueCode:int:esi:fr:1234567890G sn Dupont subject-id [email protected] supannActivite {CNU}5404 supannAutreMail [email protected];[email protected] supannAutreTelephone 1234567890 supannCMSType etudiant supannCivilite Mr supannCodeINE 1234567890G supannEntiteAffectation z-123;z-124 supannEntiteAffectationPrincipale z-123 supannEtablissement {ILN}1-341725201;{AUTRE}formation.renater.fr supannEtuAnneeInscription 2008 supannEtuCursusAnnee {SUPANN}L3 supannEtuDiplome {SISE}2001350 supannEtuElementPedagogique {UAI:0171463Y}4929 supannEtuEtape {UAI:0171463Y}401 supannEtuId 12345 supannEtuInscription [etab={UAI}0131843H][anneeinsc=2007][regimeinsc={SISE}10][sectdisc={SISE}04][typedip={SISE}YA][cursusann=D3][affect=56R17][diplome={SISE}2001099][etape={UAI:0131843H}B8EFAI-B8EFA3] supannEtuRegimeInscription {SISE}10 supannEtuSecteurDisciplinaire {SISE}27 supannEtuTypeDiplome {SISE}DC supannListeRouge FALSE supannMailPerso [email protected] supannNomDeNaissance Dupont supannOIDCDateDeNaissance 1993-02-04 supannOIDCGenre male supannPrenomsEtatCivil Jean Pierre supannRefId {INE}1234567890G;{APOGEE}12345 supannRessourceEtat {MAIL}I:SupannExpire;{COMPTE}A supannRessourceEtatDate {COMPTE}I:SupannExpire:20211212:20220612;{COMPTE}A:SupannSursis:20210912:20211212;{COMPTE}A::20180115: supannRoleEntite [role=PRESIDENT][type=CONSEIL-ETUDIANT] supannRoleGenerique PRESIDENT-CONSEIL-ETUDIANT telephoneNumber +33 1 23 45 67 89 title M. uid etudiant1
Also, other user info, like roles, attributes, etc., can be obtained via IAM account API. Only Admins can access this API, but starting from IAM v1.8.2 access is based on the iam:admin.read and iam:admin.write scopes (no longer based on roles).
Ref. https://indigo-iam.github.io/v/v1.8.2/docs/reference/api/account-api/
Hi @rmiccoli,
Thanks for your response. I'm a bit unsure where to add the .yml file exactly.
I've realized my initial questions may not have been clear. I made a quick video to help explain: Video Link
In the video, you'll see that the Renater test user is asked to register before being redirected to the client callback. So I wonder how the config .yml could fix the problem, may you clarify that ?
I also have another question. After a user is prompted to register in the Indigo IAM instance, can I customize it by showing an alert like "Your request has been sent for approval. You'll be notified once it's validated. Feel free to leave this page. See you soon."? Or it would be even better if we should skip the admin approval for the user if he's affiliated with the entity corresponding to the research infrastructure for which the Indigo IAM Instance is meant. Would it be possible?
For the second question, here's an example scenario for clarification:
- A user with no admin role logs into FITS via Indigo IAM.
- How can I find out their role to prevent access to admin features if they can't access the account API?
Thanks for your help
Hi @rmiccoli,
Thanks for your response. I'm a bit unsure where to add the .yml file exactly.
I've realized my initial questions may not have been clear. I made a quick video to help explain: Video Link
In the video, you'll see that the Renater test user is asked to register before being redirected to the client callback. So I wonder how the config .yml could fix the problem, may you clarify that ?
If you use a docker container, you can mount the file in the default directory /indigo-iam/config.
If your file is named application-pippo.yml, remember to set the profile pippo in the IAM_JAVA_OPTS env variable.
e.g
IAM_JAVA_OPTS=-Dspring.profiles.active=pippo
I also have another question. After a user is prompted to register in the Indigo IAM instance, can I customize it by showing an alert like "Your request has been sent for approval. You'll be notified once it's validated. Feel free to leave this page. See you soon."? Or it would be even better if we should skip the admin approval for the user if he's affiliated with the entity corresponding to the research infrastructure for which the Indigo IAM Instance is meant. Would it be possible?
No, it is not possible at the moment. We have some work ready on autoprovisioning but there are bugs to work out.
For the second question, here's an example scenario for clarification:
* A user with no admin role logs into FITS via Indigo IAM. * How can I find out their role to prevent access to admin features if they can't access the account API?Thanks for your help
If I understood correctly your question, an authenticated user can only access their own info (attributes, authorities) through web interface.
e.g. https://<your-iam-instance>/iam/me/authorities or https://<your-iam-instance>/iam/account/<uuid>/attributes
Thank you @rmiccoli,
I have a docker compose that mounts on iam-login-service the files generated from other containers.
- I've added ./Conf/application-renater.yml in the host and mounted it as the others (see below).
- I've also updated the
IAM_JAVA_OPTSas follows:IAM_JAVA_OPTS=-Dspring.profiles.active=prod,oidc,saml,registration,renater - compose down + compose up
But still the renater test user is promt for manually add his data in the registration form. where I'm wrong?
NB: thanks for the other question, I think it's clear now
jwtk_generator:
build:
context: ./Docker/jwtk_generator
container_name: jwtk_generator
env_file:
- .env
volumes:
- jwtk_gen:/app
command: tail -f /dev/null
networks:
- default
restart: unless-stopped
cert_generator:
build:
context: ./Docker/cert_generator
args:
- IAM_SAML_KEY_PASSWORD=${IAM_SAML_KEY_PASSWORD}
- IAM_HOST=${IAM_HOST}
container_name: cert_generator
volumes:
- cert_gen:/certs
env_file:
- .env
command: tail -f /dev/null
networks:
- default
restart: unless-stopped
iam-login-service:
image: indigoiam/iam-login-service
container_name: iam-login-service
ports:
- 8080:8080
env_file:
- .env
volumes:
- ./DB/mariadb_data_iam_db:/var/lib/mysql
- ./Tokens/keystore.jwks:/keystore.jwks
- ./Certs/self-signed.jks:/self-signed.jks
- ./Conf/application-renater.yml:/application-renater.yml
restart: unless-stopped
depends_on:
- mariadb_iam_db
- jwtk_generator
#- cert_generator
networks:
- default
Please replace - ./Conf/application-renater.yml:/application-renater.yml with - ./Conf/application-renater.yml:/indigo-iam/config/application-renater.yml and be sure that in the IAM log you have something like
2023-11-17 10:34:36.584 INFO 368629 --- [ restartedMain] it.infn.mw.iam.IamLoginService : The following ... profiles are active: "renater", ...
I did it. I have this IAM log: The following 7 profiles are active: "prod", "mysql", "flyway-repair", "oidc", "saml", "registration", "renater" but still the user from renater is asked to manually register
To check: if I try:
-
sudo docker exec -it iam-login-service bash - and then
cat ./config/application-renater.yml=> I have:
iam:
registration:
samlEntityId: ${IAM_SAML_IDP_METADATA}
authentication-type: saml
fields:
name:
read-only: false
external-auth-attribute: given_name
surname:
read-only: false
external-auth-attribute: family_name
email:
read-only: false
external-auth-attribute: email
username:
read-only: false
external-auth-attribute: suggested_username
If I try:
-
env | grep IAM_SAML_IDP_METADATA=> I well find:IAM_SAML_IDP_METADATA=http://pub.federation.renater.fr/metadata/test/preview/preview-idps-test-metadata.xml
What I do wrong ? thanks
Once you get to the login form, can you please verify that you can see the attributes given_name, etc., at the /iam/authn-info endpoint?
At the /iam/authn-infoendpoint I see this (only suggested_username is not null):
{
"type": "SAML",
"issuer": "https://test-idp.federation.renater.fr/idp/shibboleth",
"subject": "[email protected]",
"subject_attribute": "urn:oid:1.3.6.1.4.1.5923.1.1.1.13",
"email": null,
"given_name": null,
"family_name": null,
"suggested_username": "[email protected]",
"additional_attributes": {
"EPPN": "[email protected]",
"EPUID": "[email protected]",
"type": "saml",
"idpEntityId": "https://test-idp.federation.renater.fr/idp/shibboleth"
}
}
At the
/iam/authn-infoendpoint I see this (onlysuggested_usernameis not null):{ "type": "SAML", "issuer": "https://test-idp.federation.renater.fr/idp/shibboleth", "subject": "[email protected]", "subject_attribute": "urn:oid:1.3.6.1.4.1.5923.1.1.1.13", "email": null, "given_name": null, "family_name": null, "suggested_username": "[email protected]", "additional_attributes": { "EPPN": "[email protected]", "EPUID": "[email protected]", "type": "saml", "idpEntityId": "https://test-idp.federation.renater.fr/idp/shibboleth" } }
It means that Renater IdP does not provide those attributes, but you should at least see the username field filled out with value [email protected] in the registration form.
If you use the student profile, you should get those attributes (I took a look at https://services.renater.fr/federation/en/outils/outils-de-test/idp-de-test).
At the
/iam/authn-infoendpoint I see this (onlysuggested_usernameis not null):{ "type": "SAML", "issuer": "https://test-idp.federation.renater.fr/idp/shibboleth", "subject": "[email protected]", "subject_attribute": "urn:oid:1.3.6.1.4.1.5923.1.1.1.13", "email": null, "given_name": null, "family_name": null, "suggested_username": "[email protected]", "additional_attributes": { "EPPN": "[email protected]", "EPUID": "[email protected]", "type": "saml", "idpEntityId": "https://test-idp.federation.renater.fr/idp/shibboleth" } }It means that
RenaterIdP does not provide those attributes, but you should at least see theusernamefield filled out with value[email protected]in the registration form.
Yes I do see the username field but it's mapped on eduPersonPrincipalName, how can I map it on displayName? All the other fields are empty. Actually Renater should provide all the attributes (see above in the first message I posted the fake attributes provided by Renater for etudiant1 or in the link you gave a look at - https://services.renater.fr/federation/en/outils/outils-de-test/idp-de-test - click on our test service provider than federation de test, you can login with the etudiant1credentials to check the attributes)
Thanks for your help.
Yes, actually I can see them also by authenticating with the authorized reader profile credentials. The fact that you see the username mapped on eduPersonPrincipalName is due to an IAM internal mapping:
SAML -> IAM
- givenName ->
given_name - sn ->
family_name - mail ->
email - eduPersonPrincipalName ->
suggested_username
(ref. https://github.com/indigo-iam/iam/blob/master/iam-login-service/src/main/java/it/infn/mw/iam/authn/saml/SamlExternalAuthenticationToken.java#L70)
The other SAML attributes are published under additional_attributes claim. They include the commonName (cn), not the displayName, so you could change the configuration by replacing the suggested_username with CN.
The weird thing is that the other attributes, like CN, are not shown (or are null) even if they are present. I'll investigate further.