Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Profile attributes are retrieved from OpenAM based on the results of REST calls to the /json/users/USERID endpoints. Note that with a recent change, this endpoint is not now accessible by the agents.

Code Block
curl -s \
    --header "iplanetDirectoryPro: <TOKEN<AGENT ID>SSO TOKEN>" \
    --header "Accept-API-Version: protocol=1.0,resource=1.0" \
    --header "Content-Type: application/json" \ 
    http://openam.example.com:8010/openam/json/users/noggin

...

Code Block
{
  "username": "noggin",
  "realm": "/",
  "mail": [
    "noggin@nog.com"
  ],
  "givenName": [
    "Noggin"
  ],
  "objectClass": [
    "iplanet-am-managed-person",
    "inetuser",
    "sunFederationManagerDataStore",
    "sunFMSAML2NameIdentifier",
    "devicePrintProfilesContainer",
    "inetorgperson",
    "sunIdentityServerLibertyPPService",
    "iPlanetPreferences",
    "pushDeviceProfilesContainer",
    "iplanet-am-user-service",
    "forgerock-am-dashboard-service",
    "organizationalperson",
    "top",
    "kbaInfoContainer",
    "sunAMAuthAccountLockout",
    "person",
    "oathDeviceProfilesContainer",
    "iplanet-am-auth-configuration-service"
  ],
  "dn": [
    "uid=noggin,ou=people,dc=openam,dc=forgerock,dc=org"
  ],
  "cn": [
    "Noggin The Nog"
  ],
  "modifyTimestamp": [
    "20161219144443Z"
  ],
  "employeeNumber": [
    "1000"
  ],
  "createTimestamp": [
    "20161110102817Z"
  ],
  "uid": [
    "noggin"
  ],
  "universalid": [
    "id=noggin,ou=user,dc=openam,dc=forgerock,dc=org"
  ],
  "inetUserStatus": [
    "Active"
  ],
  "sn": [
    "The Nog"
  ],
  "roles": [
    "ui-self-service-user"
  ]
}

 

Response Attributes

Response attributes are returned most notably from the policy evaluation endpoints /json/policies.  So, creating a policy for access to /examples/* and adding userPassword, dn, cn and sn to the subject attributes, and staticAttributeName1 and staticAttributeValue1 to the static attributes, then evaluating the request as follows:

...

Code Block
CharSet
UserId
successURL
cookieSupport
AuthLevel
SessionHandle
UserToken
IndexType
Principals
sun.am.UniversalIdentifier
amlbcookie
Organization
Locale
HostName
AuthType
Host
UserProfile
AMCtxId
clientType
authInstant
Principal

If you add all of the above properties into your whitelist and then call:For normal users, a session property whitelist is enforced.  For a user to be able to see the value of a particular session property, that property must be whitelisted.  For the agents, the case is different and agents are allowed to see all of the user's session properties whether whitelisted or not.

Code Block
curl -s \
    -X POST \
    --header 'Content-Type: application/json' \
    --header 'Accept: application/json' \
    --header 'Accept-API-Version: resource=2.0' \
    --header 'iPlanetDirectoryPro: <INSERT TOKEN 1 HERE>' \
    http://openam.example.com:8010/openam/json/sessions?tokenId=<INSERT TOKEN 2 HERE>&_action=getProperty'

...

Code Block
{
  "Locale": "en_US",
  "authInstant": "2017-01-06T11:52:28Z",
  "Organization": "dc=openam,dc=forgerock,dc=org",
  "Principals": "noggin",
  "UserProfile": "Required",
  "CharSet": "UTF-8",
  "successURL": "/openam/console",
  "cookieSupport": "true",
  "SessionHandle": "shandle:AQIC5wM2LY4SfcxygijChz5L6cY9XUkFIYOFkPmeBk_bp9I.*AAJTSQACMDEAAlNLABM0ODcxMzkzNjg5MTk4Nzg2MzEzAAJTMQAA*",
  "Host": "172.16.100.171",
  "AuthLevel": "0",
  "clientType": "genericHTML",
  "UserId": "noggin",
  "AMCtxId": "31903ddbcfa3a42301",
  "AuthType": "DataStore",
  "IndexType": "",
  "sun.am.UniversalIdentifier": "id=noggin,ou=user,dc=openam,dc=forgerock,dc=org",
  "amlbcookie": "01",
  "HostName": "172.16.100.171",
  "Principal": "id=noggin,ou=user,dc=openam,dc=forgerock,dc=org",
  "UserToken": "noggin"
}