Versions Compared

Version Old Version 8 New Version Current
Changes made by

Frank Asseg

Wanja Mensch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Customizable scoped role delimiter: Users can define their own delimiter to separate parts of the scoped role string. By default, a period (.) is used, but it can be changed to an underscore (_) or any other character, enhancing integration with different IDP configurations.

  • Customizable Wildcard: The second part of a three-part scoped role string specifies a configuration area, and a wildcard character can represent access to all non-confidential areas. While the default wildcard is an asterisk (*), users can now customize it to any character or string, providing more flexibility in defining access levels.

  • Display Name Customization: Depending on Role Claim configuration: Allows to define which claim in the token coming from the IDP should be used as the scoped role claim present in the IDP token, . Depending on that different formats for role display names can be configured within the application. This allows for more intuitive and organization-specific naming conventions that align with the user’s role and access permissions.

...

This feature allows organizations to customize access patterns and streamline role management by using intuitive and relevant wildcard symbols that align with their identity provider and access control strategies.

...

Role Claim configuration

The CDCM application allows for flexible customization of display names based on scoped role claims, enhancing the usage of different claims in the token coming from the IDP. By doing this this the roles set in a specific claim are used for authorization in the CDCM application and different fields in that claim can be used for the display names. This enhances clarity and alignment with organizational naming conventions. It is also possible to specify a prefix that should be ignored when parsing the role claim string coming from the identity provider.

  • Configuration: Display names are configured using the environment variable OAUTH_CLAIM_CONFIGURATION. This variable should contain a JSON array, where each object defines the claim attribute (=roleClaimAttribut) and the corresponding display name format (=displayNameForma) as well as an optional field for the prefix that should be ignored while parsing the role string(=prefix).

  • JSON Format: Each object in the array specifies a roleClaimAttribute, a displayNameFormat and a prefix. The display name format can include placeholders (<<>>) to dynamically insert token attributes into the display name.

  • Example Configuration:

    Code Block
    languagejson
    [
    {
        "roleClaimAttribute": "roles",
        "prefix": "I_will_be_ignored",
        "displayNameFormat": "System user <<applicationId>>"
    },
    {
        "roleClaimAttribute": "groups",
        "displayNameFormat": "<<given_name>> <<family_name>>"
    },
    {
        "roleClaimAttribute": "cdcm.groups",
        "displayNameFormat": "<<given_name>> <<family_name>> | <<department>>"
    }
]

  • Usage: This configuration allows display names to be dynamically generated based on user attributes, providing personalized and informative identifiers. For example, a display name might appear as "System user 12345" or "John Doe | Sales" based on the claims found in the user token.

...