You are viewing the documentation for Blueriq 17. Documentation for other versions is available in our documentation directory.

The AQ_GetAuthenticationClaims service can be used to map one or more authentication claims to specified attributes in the profile. This service works with single or multivalued attributes.

Parameters

Name

Description

Type

Required

ClaimsSpecify the authentication claim name and the attribute to which the value is transferred.Multivalued - Key value pair - Module element - AttributeYes

To be able to map authentication claims to your profile, two steps are required:

  1. Configure your runtime as described in OpenID Connect configuration. Make sure that the right claims are mapped to the technical Blueriq scope (section Mapping claims from the ID token).
  2. Model a service call of type AQ_GetAuthenticationClaims and specify in it which claims need to be mapped to which attribute.

Example usage AQ_GetAuthenticationClaims service

First examine the JWT token:

Sample of a JWT identity token
{
...
  "resource_access": {
    "blueriq-runtime": {
      "roles": [
        "aanvrager"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "preferred_username": "aanvrager",
  "custom_username": "The real aanvrager"
  "email": "the_real_aanvrager@blueriq.com"
...
}

Then configure the properties:

Sample application.properties
blueriq.security.jwt-claims.claim-mapping.username=$.custom_username
blueriq.security.jwt-claims.claim-mapping.roles=$.resource_access.account.roles

Map the claims to the profile using the service:


Exit events

Name

Description

Type

OKWhen the AQ_GetAuthenticationClaims service executed successfully.Continue
MappingFailureWhen at least one of the requested claims was not available in the session. The header(s) that were not available can be found as a warning in the log file.Continue
NothingToMapThe operation had no effect, because no claims were saved in the session.Cancel

Limitations

Note that the claim information is only obtained at login. This means that if a user claim changes in the identity provider and the user has an active session, that the information in the user session might be outdated. Also, as the service can only map single and multivalued values, objects will be skipped.