You are viewing the documentation for Blueriq 15. Documentation for other versions is available in our documentation directory.
The AQ_GetAuthenticationClaims service can be used to map one or more authentication claims to specified attributes in the profile. This service works with single or multivalued attributes.
Parameters
Name | Description | Type | Required |
---|---|---|---|
Claims | Specify the authentication claim name and the attribute to which the value is transferred. | Multivalued - Key value pair - Module element - Attribute | true |
To be able to map authentication claims to your profile, two steps are required:
- Configure your runtime as described in OpenID Connect configuration. Make sure that the right claims are mapped to the technical Blueriq scope (section Mapping claims from the ID token).
- Model a service call of type AQ_GetAuthenticationClaims and specify in it which claims need to be mapped to which attribute.
Example usage AQ_GetAuthenticationClaims service
First examine the JWT token:
{ ... "resource_access": { "blueriq-runtime": { "roles": [ "aanvrager" ] }, "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] } }, "preferred_username": "aanvrager", "custom_username": "The real aanvrager" "email": "the_real_aanvrager@blueriq.com" ... }
Then configure the properties:
blueriq.security.openid-connect.claim-mapping.username=custom_username blueriq.security.openid-connect.claim-mapping.roles=resource_access,account,roles
Map the claims to the profile using the service:
Exit events
Name | Description | Type |
---|---|---|
OK | When the AQ_GetAuthenticationClaims service executed successfully. | Continue |
MappingFailure | When at least one of the requested claims was not available in the session. The header(s) that were not available can be found as a warning in the log file. | Continue |
NothingToMap | The operation had no effect, because no claims were saved in the session. | Cancel |
Limitations
Note that the claim information is only obtained at login. This means that if a user claim changes in the identity provider and the user has an active session, that the information in the user session might be outdated. Also, as the service can only map single and multivalued values, objects will be skipped.