-
Notifications
You must be signed in to change notification settings - Fork 2
OIDC Attribute Mapping
Conrad Boyd Elliott Gustafson edited this page Jun 7, 2023
·
32 revisions
KeyCloak/SiteMinder: It's a little bit complicated!
- Siteminder exposes certain attributes to Pathfinder SSO (Keycloak)
- Pathfinder SSO maps these to OIDC (see: Identity Provider Attribute Mapping and Gold Migration Guide for mapping references.)
- Cognito maps these to OIDC (described in this document)
BCSC: It's slightly simpler
- BCSC OIDC service exposes certain attributes to Cognito through the userinfo endpoint
- Cognito maps these to OIDC (described in this document)
Note: Pathfinder SSO preferred_username={{useridentifier}}@idir
| SiteMinder | Pathfinder SSO | FAM | |
|---|---|---|---|
| Email Verified | ? | email_verified | email_verified |
| IDIR User GUID | useridentifier | idir_user_guid | custom:idp_user_id |
| IDIR User ID | username | idir_username | custom:idp_username |
| Name of SSO IDP | N/A | identity_provider | custom:idp_name |
| KC Username | N/A | preferred_username | custom:keycloak_username |
| Display Name | displayname | display_name | custom:idp_display_name |
| First Name | firstname | given_name | given_name |
| Last Name | lastname | family_name | family_name |
| Name | ? | name | name |
_Note: Pathfinder SSO preferred_username={{SMGOV_USERGUID}}@bceidbusiness _
| SiteMinder | Pathfinder SSO | FAM | |
|---|---|---|---|
| Email Verified | ? | email_verified | email_verified |
| BCeID User Guid | SMGOV_USERGUID | bceid_user_guid | custom:idp_user_id |
| BCeID User Name | SMGOV_USERDISPLAYNAME | bceid_username | custom:idp_username |
| Name of SSO IDP | N/A | identity_provider | custom:idp_name |
| KC Username | N/A | preferred_username | custom:keycloak_username |
| Display Name | displayname | display_name | custom:idp_display_name |
| BCeID Business Guid | SMGOV_BUSINESSGUID | bceid_business_guid | custom:idp_business_id |
| BCeID Business Name | SMGOV_BUSINESSLEGALNAME | bceid_business_name | custom:idp_business_name |
| BCSC OIDC | FAM | |
|---|---|---|
| Email Verified | email_verified | email_verified |
| BCSC User GUID | sub | custom:idp_user_id |
| Name of SSO IDP | aud | custom:idp_name |
| Display Name | display_name | custom:idp_display_name |
| First Name | given_name | given_name |
| Last Name | family_name | family_name |
| Given Names | given_names | custom:given_names |
| Gender | gender | gender |
| Address | address | address |
| Birth Date | birthdate | birthdate |
Note: this is ALL the attributes. Best practice would be to exclude all the ones you don't need.
{
"at_hash": "-1bEEs5XN4_5njobRC2obg",
"sub": "f7e49325-3796-4663-8745-4161745e358c",
"cognito:groups": [
"ca-central-1_ixb69p4hq_IDIR"
],
"iss": "https://cognito-idp.ca-central-1.amazonaws.com/ca-central-1_ixb69p4hq",
"preferred_username": "b5ecdb094dfb4149a6a8445a01a96bf0@idir",
"custom:idp_user_id": "B5ECDB094DFB4149A6A8445A01A96BF0",
"custom:idp_username": "COGUSTAF",
"identities": [
{
"userId": "b5ecdb094dfb4149a6a8445a01a96bf0@idir",
"providerName": "IDIR",
"providerType": "OIDC",
"issuer": null,
"primary": "true",
"dateCreated": "1664399277929"
}
],
"auth_time": 1664567809,
"custom:idp_display_name": "Gustafson, Conrad CITZ:IN",
"exp": 1664571409,
"iat": 1664567809,
"jti": "52cb729d-91a8-4e51-b5ac-1ed388c24368",
"email": "[email protected]",
"email_verified": false,
"custom:idp_name": "idir",
"cognito:username": "idir_b5ecdb094dfb4149a6a8445a01a96bf0@idir",
"given_name": "Conrad",
"nonce": "448196a0-34df-446e-bb48-3ee260e00aa9",
"origin_jti": "d8248031-6179-4b71-8443-298dcde74113",
"aud": "1k1abiu22i4dtvqviptekkttvc",
"token_use": "id",
"name": "Conrad Gustafson",
"family_name": "Gustafson"
}
{
"sub": "f7e49325-3796-4663-8745-4161745e358c",
"cognito:groups": [
"ca-central-1_ixb69p4hq_IDIR"
],
"iss": "https://cognito-idp.ca-central-1.amazonaws.com/ca-central-1_ixb69p4hq",
"version": 2,
"client_id": "1k1abiu22i4dtvqviptekkttvc",
"origin_jti": "d8248031-6179-4b71-8443-298dcde74113",
"token_use": "access",
"scope": "openid profile email",
"auth_time": 1664567809,
"exp": 1664571409,
"iat": 1664567809,
"jti": "aed19ff6-bfb4-4131-901a-7282e06447c2",
"username": "idir_b5ecdb094dfb4149a6a8445a01a96bf0@idir"
}
{
"exp": 1664497467,
"iat": 1664497167,
"auth_time": 1664497151,
"jti": "c7767558-28d2-4d95-96cc-dbb2829104c4",
"iss": "https://dev.loginproxy.gov.bc.ca/auth/realms/standard",
"aud": "fsa-cognito-idir-dev-4088",
"sub": "b5ecdb094dfb4149a6a8445a01a96bf0@idir",
"typ": "ID",
"azp": "fsa-cognito-idir-dev-4088",
"nonce": "cffb000a-d2ae-47cd-b89c-ddf78d749008",
"session_state": "1f8895c1-5d26-4142-a81a-399f620d980c",
"at_hash": "XQw-4UVbEzhlXXxciejxVw",
"sid": "1f8895c1-5d26-4142-a81a-399f620d980c",
"idir_user_guid": "B5ECDB094DFB4149A6A8445A01A96BF0",
"identity_provider": "idir",
"idir_username": "COGUSTAF",
"email_verified": false,
"name": "Conrad Gustafson",
"preferred_username": "b5ecdb094dfb4149a6a8445a01a96bf0@idir",
"display_name": "Gustafson, Conrad CITZ:IN",
"given_name": "Conrad",
"family_name": "Gustafson",
"email": "[email protected]"
}
{
"exp": 1664497467,
"iat": 1664497167,
"auth_time": 1664497151,
"jti": "08950374-61aa-4148-add1-ac9b87fc246f",
"iss": "https://dev.loginproxy.gov.bc.ca/auth/realms/standard",
"aud": "fsa-cognito-idir-dev-4088",
"sub": "b5ecdb094dfb4149a6a8445a01a96bf0@idir",
"typ": "Bearer",
"azp": "fsa-cognito-idir-dev-4088",
"nonce": "cffb000a-d2ae-47cd-b89c-ddf78d749008",
"session_state": "1f8895c1-5d26-4142-a81a-399f620d980c",
"scope": "openid idir email profile",
"sid": "1f8895c1-5d26-4142-a81a-399f620d980c",
"idir_user_guid": "B5ECDB094DFB4149A6A8445A01A96BF0",
"identity_provider": "idir",
"idir_username": "COGUSTAF",
"email_verified": false,
"name": "Conrad Gustafson",
"preferred_username": "b5ecdb094dfb4149a6a8445a01a96bf0@idir",
"display_name": "Gustafson, Conrad CITZ:IN",
"given_name": "Conrad",
"family_name": "Gustafson",
"email": "[email protected]"
}
Note: this is ALL the attributes. Best practice would be to exclude all the ones you don't need.
{
"at_hash": "dePMKtQRYKvBZSD-S4YCAw",
"sub": "7256344c-fa66-43c8-86d9-a7b37211446b",
"cognito:groups": [
"ca-central-1_ixb69p4hq_BCEIDBUSINESS"
],
"email_verified": false,
"custom:idp_name": "bceidbusiness",
"custom:idp_business_id": "BF1A4D90CC664E7BBB517D451A78C378",
"iss": "https://cognito-idp.ca-central-1.amazonaws.com/ca-central-1_ixb69p4hq",
"cognito:username": "bceidbusiness_1b02e51b6a214b64b27e6ee66cb9a389@bceidbusiness",
"nonce": "a1d57700-883e-4b20-82e7-de62ba04cf8e",
"custom:idp_user_id": "1B02E51B6A214B64B27E6EE66CB9A389",
"origin_jti": "f0010e8b-36de-4aa1-bb60-d8c853d06bf8",
"aud": "4b0fu3vsbqnu6mqpd89okltsll",
"custom:idp_username": "conradgustafson",
"identities": [
{
"userId": "1b02e51b6a214b64b27e6ee66cb9a389@bceidbusiness",
"providerName": "BCEIDBUSINESS",
"providerType": "OIDC",
"issuer": null,
"primary": "true",
"dateCreated": "1664493249359"
}
],
"token_use": "id",
"auth_time": 1664568161,
"custom:idp_display_name": "Conrad Gustafson",
"exp": 1664571761,
"custom:idp_business_name": "Gustafson, Conrad",
"iat": 1664568161,
"jti": "3c6500ae-4dea-4188-9c7f-f666756b2278",
"email": "[email protected]"
}
{
"sub": "7256344c-fa66-43c8-86d9-a7b37211446b",
"cognito:groups": [
"ca-central-1_ixb69p4hq_BCEIDBUSINESS"
],
"iss": "https://cognito-idp.ca-central-1.amazonaws.com/ca-central-1_ixb69p4hq",
"version": 2,
"client_id": "4b0fu3vsbqnu6mqpd89okltsll",
"origin_jti": "f0010e8b-36de-4aa1-bb60-d8c853d06bf8",
"token_use": "access",
"scope": "openid profile email",
"auth_time": 1664568161,
"exp": 1664571761,
"iat": 1664568161,
"jti": "76c4bf07-36b1-42be-a292-733c3387baab",
"username": "bceidbusiness_1b02e51b6a214b64b27e6ee66cb9a389@bceidbusiness"
}
{
"exp": 1664497826,
"iat": 1664497526,
"auth_time": 1664497489,
"jti": "90e5d5c9-f407-4148-a796-da23e49dffdc",
"iss": "https://dev.loginproxy.gov.bc.ca/auth/realms/standard",
"aud": "fsa-cognito-b-ce-id-business-dev-4090",
"sub": "1b02e51b6a214b64b27e6ee66cb9a389@bceidbusiness",
"typ": "ID",
"azp": "fsa-cognito-b-ce-id-business-dev-4090",
"nonce": "b0e571bf-2946-49e3-85dd-1439f6c3b2f7",
"session_state": "fcd3077f-063e-4af2-b20b-24eaa0d102b8",
"at_hash": "rT0y6pEklcbDd4YWQm6zjA",
"sid": "fcd3077f-063e-4af2-b20b-24eaa0d102b8",
"bceid_business_guid": "BF1A4D90CC664E7BBB517D451A78C378",
"bceid_business_name": "Gustafson, Conrad",
"bceid_user_guid": "1B02E51B6A214B64B27E6EE66CB9A389",
"identity_provider": "bceidbusiness",
"bceid_username": "conradgustafson",
"email_verified": false,
"preferred_username": "1b02e51b6a214b64b27e6ee66cb9a389@bceidbusiness",
"display_name": "Conrad Gustafson",
"email": "[email protected]"
}
{
"exp": 1664497826,
"iat": 1664497526,
"auth_time": 1664497489,
"jti": "eb9e393a-dde2-41f9-b316-197cd53af495",
"iss": "https://dev.loginproxy.gov.bc.ca/auth/realms/standard",
"aud": "fsa-cognito-b-ce-id-business-dev-4090",
"sub": "1b02e51b6a214b64b27e6ee66cb9a389@bceidbusiness",
"typ": "Bearer",
"azp": "fsa-cognito-b-ce-id-business-dev-4090",
"nonce": "b0e571bf-2946-49e3-85dd-1439f6c3b2f7",
"session_state": "fcd3077f-063e-4af2-b20b-24eaa0d102b8",
"scope": "openid bceidbusiness email profile",
"sid": "fcd3077f-063e-4af2-b20b-24eaa0d102b8",
"bceid_business_guid": "BF1A4D90CC664E7BBB517D451A78C378",
"bceid_business_name": "Gustafson, Conrad",
"bceid_user_guid": "1B02E51B6A214B64B27E6EE66CB9A389",
"identity_provider": "bceidbusiness",
"bceid_username": "conradgustafson",
"email_verified": false,
"preferred_username": "1b02e51b6a214b64b27e6ee66cb9a389@bceidbusiness",
"display_name": "Conrad Gustafson",
"email": "[email protected]"
}
{
"at_hash": "szpXM2MxH0ICVP-agqfshw",
"sub": "112f4f87-5594-4e00-bf64-439e0a0ef20f",
"custom:given_names": "GIVENONE GIVENTWO",
"birthdate": "1986-11-12",
"gender": "unknown",
"iss": "https://cognito-idp.ca-central-1.amazonaws.com/ca-central-1_skTtj441o",
"custom:idp_user_id": "NA5TCPGMIGUFVCSS6SAO3TIDBMAHXL3F",
"identities": [
{
"userId": "NA5TCPGMIGUFVCSS6SAO3TIDBMAHXL3F",
"providerName": "TEST-BCSC",
"providerType": "OIDC",
"issuer": null,
"primary": "true",
"dateCreated": "1683668717501"
}
],
"auth_time": 1683668737,
"custom:idp_display_name": "GIVENONE SURNAME",
"exp": 1683672337,
"iat": 1683668739,
"jti": "303a7b3e-f81f-47b4-8d43-45ab50121528",
"email": "[email protected]",
"email_verified": true,
"address": {
"formatted": "{\"street_address\":\"4000 SEYMOUR PLACE\",\"country\":\"CA\",\"locality\":\"VICTORIA\",\"region\":\"BC\",\"postal_code\":\"V8Z 1C8\"}"
},
"custom:idp_name": "[ca.bc.gov.flnr.fam.test]",
"cognito:username": "test-bcsc_na5tcpgmigufvcss6sao3tidbmahxl3f",
"given_name": "GIVENONE",
"nonce": "6a20f913-31fb-42df-b8b2-181b3f092d32",
"origin_jti": "8263f327-6a7c-4b7c-a593-2ce59a2ef5c6",
"aud": "1fooctlkusvhen2mmqgqj35to9",
"token_use": "id",
"family_name": "SURNAME"
}
{
"sub": "112f4f87-5594-4e00-bf64-439e0a0ef20f",
"iss": "https://cognito-idp.ca-central-1.amazonaws.com/ca-central-1_skTtj441o",
"version": 2,
"client_id": "1fooctlkusvhen2mmqgqj35to9",
"origin_jti": "8263f327-6a7c-4b7c-a593-2ce59a2ef5c6",
"token_use": "access",
"scope": "openid profile email",
"auth_time": 1683668737,
"exp": 1683669037,
"iat": 1683668739,
"jti": "ed306d54-bb94-4953-963d-cf42810504d8",
"username": "test-bcsc_na5tcpgmigufvcss6sao3tidbmahxl3f"
}
Note: The ID token returned from the "token" endpoint at BCSC OIDC is stripped of all attributes. In order to get attributes, you have to call the userinfo endpoint. Additionally, the userinfo endpoint returns a token, not a JSON object, so it was necessary to proxy the userinfo endpoint in order to get it to work with Cognito. This sample shows the proxied response, not the token response.
{
"sub": "6RRZFAU3ANJ5WASQ4N22GKJXSM4ZKBUN",
"birthdate": "1967-01-23",
"email_verified": true,
"address": {
"street_address": "4000 SEYMOUR PLACE",
"country": "CA",
"locality": "VICTORIA",
"region": "BC",
"postal_code": "V8Z 1C8"
},
"gender": "unknown",
"iss": "https://idtest.gov.bc.ca/oauth2/",
"given_name": "GIVENONE",
"given_names": "GIVENONE GIVENTWO",
"display_name": "GIVENONE SURNAME",
"aud": "ca.bc.gov.flnr.fam.dev",
"transaction_identifier": "e72d7431-aae8-4ecd-9891-60199686159e",
"family_name": "SURNAME",
"iat": 1679937534,
"email": "[email protected]",
"jti": "c852f5f8-74fe-48f9-abee-ae8ab8ee49a4"
}
{
"aud": "ca.bc.gov.flnr.fam.dev",
"iss": "https://idtest.gov.bc.ca/oauth2/",
"exp": 1679941055,
"iat": 1679937455,
"jti": "e72d7431-aae8-4ecd-9891-60199686159e"
}
Note: The ID token returned from the "token" endpoint at BCSC OIDC is stripped of all attributes. In order to get attributes, you have to call the userinfo endpoint.
{
"sub": "NA5TCPGMIGUFVCSS6SAO3TIDBMAHXL3F",
"aud": "ca.bc.gov.flnr.fam.test",
"acr": "3",
"kid": "rsa1",
"iss": "https://idtest.gov.bc.ca/oauth2/",
"exp": 1683668801,
"iat": 1683668201,
"nonce": "92f549ff-1ae8-49fc-a962-72111535ffdb",
"jti": "7734527d-74ea-4e68-99be-17bee51ea89e"
}
- Environment Management
- Release Management
- Creating a Release
- Database Backups and Restores
- OIDC Client Testing
- FAM Onboarding Ops Guide
- Setup AWS CloudWatch
- Setup AWS EC2 instance to connect to RDS Postgres Database
- Technical Troubleshooting
- Managing Terraform State
- Enable Cloudwatch Logs for API Gateway
- Update AWS CloudFront Certificate
- Verify IDIM BCeID Client SOAP Web Service