Changing the default JWT claim for the OIDC user ID
You can change the sub
JSON Web Token (JWT) claim for the OpenID Connect (OIDC) user ID under the option file’s core
section.
About this task
By default, when a user signs on to the Policy Editor with OIDC, the Policy Editor uses the sub
JWT claim in the following operations:
-
Extracts the
sub
claim value from the ID token and:-
Records the
sub
claim value in the Creator column of the Commits table when the user makes commits (see Branch Manager → Version Control )
-
-
Makes a request to the .net/specs/openid-connect-core-1_0.html//
UserInfo
] endpoint and:-
Uses the
sub
claim value from the response as the user data -
Displays the user data in the upper right of the page
-
If your organization wants to use a non-default claim for the OIDC user ID, such as email
, you can define this claim by completing the following steps.
You must configure your OIDC provider to include the claim in both the |
Steps
-
Make a copy of the default options file:
Example:
$ cp config/options.yml my-options.yml
-
In the
core
section of the new options file, uncomment the exampleAuthentication.oidcUserIdField
field that uses theemail
claim:Example:
core: # Use a JWT claim other than "sub" for the OIDC User ID. # # Authentication.oidcUserIdField: jwt_claim # Authentication.oidcUserIdField: "email"
-
Optional: If needed, change the
email
claim to your organization’s preferred claim.
-
-
Stop the Policy Editor:
Example:
$ bin/stop-server
-
Run
setup
using the--optionsFile
argument and customize all other options as appropriate for your needs:Example:
$ bin/setup demo \ --adminUsername admin \ --generateSelfSignedCertificate \ --decisionPointSharedSecret pingauthorize \ --hostname <pap-hostname> \ --port <pap-port> \ --adminPort <admin-port> \ --licenseKeyFile <path-to-license> \ --optionsFile my-options.yml
-
Start the Policy Editor:
Example:
$ bin/start-server
-
Commit a policy change in the Policy Editor at Branch Manager → Version Control.
-
Verify that your claim is being used.
-
Select any branch and verify that the new claim value appears in the upper right of the application window.
-
Verify that the new claim value appears in the Creator column of the Commits table for the commit you made in the previous step.
-