Using an alternative user name (OIDC)

You can map the username specified in OIDC to another name that can be used by IBM® MQ.

If you require a user authenticated using OIDC to have the MQWebUser role (see Configuring user access to the IBM MQ Console, REST API, and the CLI), then you must map the OIDC user name onto a name that meets the IBM MQ user name requirements and can be used as the authenticated principal. (You do not need to map the username if the user has the MQWebAdmin or MQWebAdminRO role.)

You can define such mappings by using the Web UI, the command line interface, or the REST API.

The mapping rules are Perl regular expressions (PCRE), and this means that a rule can be defined that matches multiple user names (and so avoid the need to define a separate rule for each user). For example, if your user names have the format name@paddock.com, then a single mapping rule could be defined to strip off the @paddock.com suffix. Capture groups can be used in the From regular expression, which can then be referred to in the To field when building the mapped value. In the following example, the value $1 in the To field is substituted for the first capture group in the From field, which is identified by the use of parentheses. If multiple capture groups are specified, then their values are associated with $1, $2, $3, and so on, up to a maximum of $9.

mqa(config rbm)# au-user-map (.*)\\@paddock\\.com $1

When you use mapping rules in this way, the target values for the authenticated principal are used in the RBM XML credential mapping file.