Claims are name/value pairs that originate with an identity provider. You can map identity provider claims to User, Group, or Provide a value (for a custom claim) in Smart API Manager. You can also combine the mappings.
-
If you map a claim to User, you can use the claim's value as an external identity for a user.
-
If you map a claim to Group, you can use the claim's value as an external identity for a group.
-
If you map a claim to a custom name (Provide a value), the custom claim is passed through to the id and access tokens retrieved during authentication.
The sub and name claims are always passed through to the id and access tokens, even without the custom
name mapping. However, if the value of these claims is transformed using regular expressions
(see Modify claim values via regex), you must map the claim to a custom name. That is, you can map sub to sub and/or name to name to pass through the transformed claim value in the tokens.
For example, you add an OpenID Connect identity provider called MyProvider. One of the available claims for OpenID Connect is email, and you want to use email value(s) to identify user(s).
Include email as a Scope value in Settings to use an email value for identity.
In the Claims section for the identity provider, the Provider Claim (email) value can map to: User, Group (or both). In this example, let's map to User and email (meaning the email claim/value is passed through to the id and access tokens):
|
Provider Claim |
Value maps to... |
Default Value |
|---|---|---|
|
|
User, email |
none |
With the Users feature in Smart API Manager, you can add an identity to a local user based on the claim mapping. For more information, see Add external identity provider credentials to a user.
For example, you select the System Administrator user and edit the user's External Identities to Add external identity. You select the identity provider (MyProvider), enter the email value for the desired user, and save the changes:
|
Identity Provider |
Name |
|---|---|
|
MyProvider |
joe_user@gmail.com |
Now, when Joe User authenticates, or logs in, using MyProvider, he has the same privileges and access as the System Administrator user in Smart API Manager.
What to do if you don't know what your claims are
If you are unsure what claims are required for the identity provider, you can do this:
-
Set the minimum logging level to Trace.
-
As you go through the steps below, type any value in the Add a provider claim box so that you can complete the process.
-
Try to log on to a Smart Client that uses the provider. This log on will fail, causing the missing claims values to be logged.
-
On the right panel, click Logs and search for Received an external identity to find the log entry showing all claims received from the provider.
-
Reset the minimum logging level, if needed.
To map claims
-
Click the Add a provider claim box.
-
Type a claim name and click ADD.
-
In the Value Maps to column, click Provide a value and select either:
-
Group - To map the claim to the external identity for the Smart API Manager Group
-
User - To map the claim to the external identity for the Smart API Manager User
-
Provide a value - To pass through the claim to ID and access tokens
-
-
Click Provide a value, this time under the Default Value column. Type a default value or leave it blank, as needed, then click SAVE.
-
When you are finished adding claims, click NEXT.
-
If you are ready for the identity provider to be available for use, click the Enable identity provider check box to change the status to Enabled
. -
Click NEXT and then FINISH.