Adding custom OIDC claims
The foundational services Identity and Access Management (IAM) uses WebSphere® Application Server Liberty as its OpenID Connect (OIDC) provider.
The IAM service uses the default scopes and claims that Liberty provides. For more information about these default scopes and claims, see Configuring claims returned by the UserInfo endpoint .
Based on your OIDC authentication requirements, you can customize the OIDC claims that are returned by the UserInfo endpoint.
You can use attributes from your LDAP server in the claims map, which is used to get user information.
To change the default claims and their mapping, or to define a custom claim, complete these steps:
Note: These steps are for customizing the claims after you install the IAM service. To customize the claims before installation, see Adding custom OIDC claims.
Log in to your infrastructure node by using the
oc edit cm platform-auth-idp --n ibm-common-services
datasection, you see many data definitions including
CLAIMS_SUPPORTEDdefinition includes the user information that you want to view when you call the UserInfo endpoint. The default values are always available. You can remove any claim that you don't want, or add a custom claim if required. For example, you might add
CLAIMS_MAPdefinition includes the mapping between the
CLAIMS_SUPPORTEDvalues and the attributes that are available in your LDAP (Lightweight Directory Access Protocol) server. You can edit the default maps as required. If you add a custom claim, you must map it to an attribute that is in your LDAP server. For example, if you added
shortNameas a claim, you can add
shortName="displayName"as the claim map, where
displayNameis an attribute in your LDAP server.
SCOPE_CLAIMdefinition includes the scopes and the claims that the scope uses. If you add a custom claim, you must also add it to the
SCOPE_CLAIMdefinition. For example, if you are using the
profilescope, then based on the
shortNameexample claim, you would add
shortNameto the list:
auth-idppod by deleting it.
oc get pods -n ibm-common-services | grep auth-idp
Following is a sample output:
auth-idp-785df784f5-qcx4z 4/4 Running 0 39d
oc delete pod <auth-idp-pod-name> -n ibm-common-services
After the pod restarts, your updated claims are available for the endpoint to use.