cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Propagate user attributes from MDK application to backend services in different subaccounts

Go to solution
PAstolfi86
Explorer

on ‎12-20-2023 4:01 PM

0 Kudos

Hi,

we are implementing an MDK application deployed on subaccount "A" that consume a OData service deployed on subaccount "B".

The subaccount "A" has a custom IdP that is federated with ADFS. In federation has been inserted a custom assertion attribute.

In other application deployed on subaccount "A" I can see custom assertion attribute.

I want that the service on subaccount "B" reads the custom assertion attributes. To do this I've created, in mobile connectivity, a destination with OAuth2 SAML Bearer Assertion. I've established a trust with this new destination in subaccount "B" and the Authentication is correctly propagated but in the service I can't see the custom assertion attribute.

How can I propagate the assertion attributes?

Show replies
Show replies
Answer
View Entire Topic
guo-pingzhang
Advisor
Advisor
‎12-21-2023 6:29 AM

The oauth2saml bearer assertion flow is Mobile Services will generate a SAML assertion based on current login context.

The current login context will contain SAML attributes from IDP during login to Mobile Services.

So the SAML assertion Mobile Services send to 'Token Service URL' will contain the SAML attributes from IDP.

But whether Token Service will maintain the SAML attributes is up to the implementation of the Token Service.

Show replies
Show replies
PAstolfi86
Explorer
‎12-22-2023 4:49 PM
0 Kudos

I've configured the custom Assertion Attributer properly in Corporate Identity provider and in IdP. In other applications I can see the custom attributes.

In MDK application, in the Security tab, I've inserted the following xs-security.json

{
	"xsappname": "anasgallerie",
	"tenant-mode": "dedicated",
	"scopes": [
		{
			"name": "$XSAPPNAME.gallerie_user",
			"description": "gallerie_user"
		}
	],
	"attributes": [
		{
			"name": "postOfficeBox",
			"description": "PIVA",
			"valueType": "s",
			"valueRequired": true
		}
	],
	"role-templates": [
		{
			"name": "gallerie_user",
			"description": "generated",
			"scope-references": [
				"$XSAPPNAME.gallerie_user"
			],
			"attribute-references": [
				{
					"name": "postOfficeBox"
				}
			]
		}
	],
	"role-collections": [
		{
			"name": "ANAS_GALLERIE",
			"description": "User Gallerie",
			"role-template-references": [
				"$XSAPPNAME.gallerie_user"
			]
		}
	]
}

Below the xs-security.json of the provider service

{
  "xsappname": "ANAS-Gallerie",
  "tenant-mode": "dedicated",
  "description": "Security profile of called application",
  "foreign-scope-references":  ["user_attributes"] 
  "scopes": [
    {
      "name": "uaa.user",
      "description": "UAA"
    }
  ],
  "role-templates": [
    {
      "name": "Token_Exchange",
      "description": "UAA",
      "scope-references": [
        "uaa.user"
      ]
    }
  ]
}

But I can't see the attributes on provider service.

Ask a Question