Introduction

Access Manager can retrieve an attribute from an external resource and transform it before using this value with assertion and access policies. This feature supports user attribute modifications like transform value to uppercase etc., In some of the cases, the user information needs to be retrieved from a third party server from REST endpoint. This case NAM doesn’t support REST endpoint as data source. To overcome this we have to call the REST endpoint from JavaScript. The following solution provides details about how to call REST endpoint and shows how to do complex attribute modification using Java within JavaScript.

Solution:

Java 8 comes with Nashhorn JavaScript Engine. Nashhorn JavaScript Engine runs JavaScript code natively on the JVM. Create utility methods in Java and call those Java functions from JavaScript.

Java class used with virtual attribute JavaScript, should implement static methods. Static methods are easy to call from the JavaScript. Example Java class:

package testwebproj;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.MalformedURLException;
import java.net.URL;

import javax.net.ssl.HttpsURLConnection;

public class BeanCls {
	public static String fun1(String name) {
		/*String https_url = "https://www.google.com/";
	      URL url;
	      try {

		     url = new URL(https_url);
		     HttpsURLConnection con = (HttpsURLConnection)url.openConnection();

		     System.out.println("****** Content read from the URL ********");
			   BufferedReader br =
				new BufferedReader(
					new InputStreamReader(con.getInputStream()));

			   String input;

			   while ((input = br.readLine()) != null){
			      System.out.println(input);
			   }
			   br.close();

	      } catch (MalformedURLException e) {
		     e.printStackTrace();
	      } catch (IOException e) {
		     e.printStackTrace();
	      }*/
	    System.out.format("Hi there from Java, %s ** ", name);
	    return "greetings from java, " + name;
	}
}

Above bean class implements static method “fun1”. Parameters can be passed from JavaScript and object can be returned to JavaScript method from where this Java method is invoked. The below example shows how to invoke “BeanCls” from JavaScript.

var MyJavaClass = Java.type('testwebproj.BeanCls');
print(MyJavaClass);
var result = MyJavaClass.fun1('John Doe'); // java method return value
print(result);

One can write their own Java utility method to call REST endpoint and return the value to be used as virtual attribute value.

Configuration Steps:

  1. Create Java utility class with static method. (example Java class is above in this page)
  2. Make jar of utility class and copy jar to IDP /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib or copy classes with package structure to IDP’s NIDP webapp classes folder.
  3. Restart IDP (/etc/init.d/novell-idp restart)
  4. Login to admin console
  5. Click on IDP clusters –> shared settings
  6. Select virtual attributes
  7. Click ‘+’ to add new virtual attribute

    virtual-attribute-config

  8. Give name and description to virtual attribute
  9. Go to Step 2 and select “Advanced: Javascript” provide script ‘function main()’ as default method and call your custom JavaScript method to your requirements. Example below:
    function main(){
    	    return mapGroups();
    }
    
    function mapGroups(){
    var MyJavaClass = Java.type('testwebproj.BeanCls');
    var result = MyJavaClass.fun1('John Doe');
    return "**"+result;
    }

    virtual-attribute-script

  10. Note: Test will fail as class not found, ignore this error or copy your utility class jar to admin console under nps project.
  11. Click ok and update IDP
  12. Now virtual attribute is read to use. Utility java class can read REST endpoint and returns required value.
  13. Virtual attribute can be configured as part of access policy or add to attribute set and send with assertion.
    Access policy example: II policy injects virtual attribute to custom header.

    virtual-attribute-policy

Resources:

2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: cstumula
Dec 5, 2016
12:10 pm
Reads:
769
Score:
5
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow