Credential mapping for OIDC users
You specify the capabilities of a user who authenticates by using OIDC by supplying credential mapping in an XML file.
In a credential mapping file, you specify the user as an InputCredential and the resources that
they are authorized to use as an OutputCredential. The output credential can be a set of permissions
as described in Access policies or it can be another user who has the permissions that
you want to grant. For example, if your credential mapping file contains the following mapping, you
can use 'administrator' as an OutputCredential to grant the same
credentials:
<aaa:MapCredentials>
<aaa:InputCredential>administrator</aaa:InputCredential>
<aaa:OutputCredential>
*/*/*?Access=r+w+a+d+x
</aaa:OutputCredential>
</aaa:MapCredentials>
The user name that you specify as the InputCredential depends on the way in which you have
configured the user:
- By default, the authenticated principal for OIDC users is
subject@@issuerspecifying the account name for OIDC single sign on and the URL of the OIDC service endpoint. For example:<aaa:MapCredentials> <aaa:InputCredential>jojo@paddock.com@@https://test.login.paddock.com/oidc/endpoint/default</aaa:InputCredential> <aaa:OutputCredential>administrator</aaa:OutputCredential> </aaa:MapCredentials> - If you have mapped the user name specified in the certificate to an alternative user name (see
Using an alternative user name (OIDC)) then that is the name that you specify as the
InputCredential. For example:
<aaa:MapCredentials> <aaa:InputCredential>^jojo$</aaa:InputCredential> <aaa:OutputCredential>administrator</aaa:OutputCredential> </aaa:MapCredentials>
Note: If you also use SSH certificate authentication, be aware that credential mapping rules
for SSH certificates use the SSH username as the InputCredential. You should ensure that the
credential mapping rules in your XML file for OIDC users do not conflict with the rules for SSH
certificates.