Credential mapping for OIDC users

You specify the capabilities of a user who authenticates by using OIDC by supplying credential mapping in an XML file.

In a credential mapping file, you specify the user as an InputCredential and the resources that they are authorized to use as an OutputCredential. The output credential can be a set of permissions as described in Access policies or it can be another user who has the permissions that you want to grant. For example, if your credential mapping file contains the following mapping, you can use 'administrator' as an OutputCredential to grant the same credentials:
<aaa:MapCredentials>
  <aaa:InputCredential>administrator</aaa:InputCredential>
  <aaa:OutputCredential>
    */*/*?Access=r+w+a+d+x
  </aaa:OutputCredential>
</aaa:MapCredentials>
The user name that you specify as the InputCredential depends on the way in which you have configured the user:
  • By default, the authenticated principal for OIDC users is subject@@issuer specifying the account name for OIDC single sign on and the URL of the OIDC service endpoint. For example:
    <aaa:MapCredentials>
      <aaa:InputCredential>jojo@paddock.com@@https://test.login.paddock.com/oidc/endpoint/default</aaa:InputCredential>
      <aaa:OutputCredential>administrator</aaa:OutputCredential>
    </aaa:MapCredentials>
    
  • If you have mapped the user name specified in the certificate to an alternative user name (see Using an alternative user name (OIDC)) then that is the name that you specify as the InputCredential. For example:
    <aaa:MapCredentials>
      <aaa:InputCredential>^jojo$</aaa:InputCredential>
      <aaa:OutputCredential>administrator</aaa:OutputCredential>
    </aaa:MapCredentials>
    
Note: If you also use SSH certificate authentication, be aware that credential mapping rules for SSH certificates use the SSH username as the InputCredential. You should ensure that the credential mapping rules in your XML file for OIDC users do not conflict with the rules for SSH certificates.