Adding custom OIDC claims

The foundational services Identity and Access Management (IAM) uses WebSphere® Application Server Liberty as its OpenID Connect (OIDC) provider.

The IAM service uses the default scopes and claims that Liberty provides. For more information about these default scopes and claims, see Configuring claims returned by the UserInfo endpoint Opens in a new tab.

Based on your OIDC authentication requirements, you can customize the OIDC claims that are returned by the UserInfo endpoint.

You can use attributes from your LDAP server in the claims map, which is used to get user information.

To change the default claims and their mapping, or to define a custom claim, complete these steps:

Note: These steps are for customizing the claims after you install the IAM service. To customize the claims before installation, see Adding custom OIDC claims.

  1. Log in to your infrastructure node by using the oc login command.

  2. Edit the platform-auth-idp configmap.

     oc edit cm platform-auth-idp --n ibm-common-services

    In the data section, you see many data definitions including CLAIMS_MAP, CLAIMS_SUPPORTED, and SCOPE_CLAIM.

    • The CLAIMS_SUPPORTED definition includes the user information that you want to view when you call the UserInfo endpoint. The default values are always available. You can remove any claim that you don't want, or add a custom claim if required. For example, you might add shortName.
    • The CLAIMS_MAP definition includes the mapping between the CLAIMS_SUPPORTED values and the attributes that are available in your LDAP (Lightweight Directory Access Protocol) server. You can edit the default maps as required. If you add a custom claim, you must map it to an attribute that is in your LDAP server. For example, if you added shortName as a claim, you can add shortName="displayName" as the claim map, where displayName is an attribute in your LDAP server.
    • the SCOPE_CLAIM definition includes the scopes and the claims that the scope uses. If you add a custom claim, you must also add it to the SCOPE_CLAIM definition. For example, if you are using the profile scope, then based on the shortName example claim, you would add shortName to the list: SCOPE_CLAIM: profile="shortName,name,family_name,....
  3. Restart the auth-idp pod by deleting it.

    1. Get the auth-idp pod name.

      oc get pods -n ibm-common-services | grep auth-idp

      Following is a sample output:

      auth-idp-785df784f5-qcx4z                          4/4     Running   0          39d
    2. Delete the auth-idp pod.

      oc delete pod <auth-idp-pod-name> -n ibm-common-services

After the pod restarts, your updated claims are available for the endpoint to use.