Adding custom OIDC claims
The foundational services Identity and Access Management (IAM) uses WebSphere® Application Server Liberty as its OpenID Connect (OIDC) provider.
The IAM service uses the default scopes and claims that Liberty provides. For more information about these default scopes and claims, see Configuring claims returned by the UserInfo endpoint .
Based on your OIDC authentication requirements, you can customize the OIDC claims that are returned by the UserInfo endpoint.
You can use attributes from your LDAP server in the claims map, which is used to get user information.
To change the default claims and their mapping, or to define a custom claim, complete these steps:
Note: These steps are for customizing the claims after you install the IAM service. To customize the claims before installation, see Adding custom OIDC claims.
-
Log in to your infrastructure node by using the
oc login
command. -
Edit the
platform-auth-idp
configmap.oc edit cm platform-auth-idp --n ibm-common-services
In the
data
section, you see many data definitions includingCLAIMS_MAP
,CLAIMS_SUPPORTED
, andSCOPE_CLAIM
.- The
CLAIMS_SUPPORTED
definition includes the user information that you want to view when you call the UserInfo endpoint. The default values are always available. You can remove any claim that you don't want, or add a custom claim if required. For example, you might addshortName
. - The
CLAIMS_MAP
definition includes the mapping between theCLAIMS_SUPPORTED
values and the attributes that are available in your LDAP (Lightweight Directory Access Protocol) server. You can edit the default maps as required. If you add a custom claim, you must map it to an attribute that is in your LDAP server. For example, if you addedshortName
as a claim, you can addshortName="displayName"
as the claim map, wheredisplayName
is an attribute in your LDAP server. - the
SCOPE_CLAIM
definition includes the scopes and the claims that the scope uses. If you add a custom claim, you must also add it to theSCOPE_CLAIM
definition. For example, if you are using theprofile
scope, then based on theshortName
example claim, you would addshortName
to the list:SCOPE_CLAIM: profile="shortName,name,family_name,...
.
- The
-
Restart the
auth-idp
pod by deleting it.-
Get the
auth-idp
pod name.oc get pods -n ibm-common-services | grep auth-idp
Following is a sample output:
auth-idp-785df784f5-qcx4z 4/4 Running 0 39d
-
Delete the
auth-idp
pod.oc delete pod <auth-idp-pod-name> -n ibm-common-services
-
After the pod restarts, your updated claims are available for the endpoint to use.