---
title: Get user profile information from AM
description: Retrieve user profile attributes of an AM user, and provide them in the UserProfileContext to downstream filters and handlers. Profile attributes that are enabled in AM can be retrieved, except the roles attribute.
component: pinggateway
version: 7.2
page_id: pinggateway:gateway-guide:profile-am
canonical_url: https://docs.pingidentity.com/pinggateway/7.2/gateway-guide/profile-am.html
revdate: 2024-09-18T12:36:34Z
section_ids:
UserProfileFilter-retrieve-attrib: Retrieve profile attributes for a user authenticated with an SSO token
UserProfileFilter-retrieve-username-sessinfo: Retrieve a username from the sessionInfo context
UserProfileFilter-retrieve-username-oauth2: Retrieving a username from the OAuth2Context
---
# Get user profile information from AM
Retrieve user profile attributes of an AM user, and provide them in the UserProfileContext to downstream filters and handlers. Profile attributes that are enabled in AM can be retrieved, except the `roles` attribute.
The `userProfile` property of AmService is configured to retrieve `employeeNumber` and `mail`. When the property is not configured, all available attributes in `rawInfo` or `asJsonValue()` are displayed.
## Retrieve profile attributes for a user authenticated with an SSO token
In this example, the user is authenticated with AM through the SingleSignOnFilter, which stores the SSO token and its validation information in the `SsoTokenContext`. The UserProfileFilter retrieves the user's mail and employee number, as well as the `username`, `_id`, and `_rev`, from that context.
1. Set up AM:
1. Select Applications > Agents > Identity Gateway, and add an agent with the following values:
* Agent ID: `ig_agent`
* Password: `password`
For AM 6.5.x and earlier versions, set up an agent as described in [Set up an IG agent in AM 6.5 and earlier](preface.html#setup-agent-65).
2. (From AM 6.5.3) Select Services > Add a Service, and add a Validation Service with the following Valid goto URL Resources:
* `http://ig.example.com:8080/*`
* `http://ig.example.com:8080/?`
2. Set up IG:
1. Set an environment variable for the IG agent password, and then restart IG:
```bash
$ export AGENT_SECRET_ID='cGFzc3dvcmQ='
```
The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.
2. Add the following route to IG:
* Linux
* Windows
```
$HOME/.openig/config/routes/user-profile-sso.json
```
```
%appdata%\OpenIG\config\routes\user-profile-sso.json
```
```json
{
"name": "user-profile-sso",
"condition": "${find(request.uri.path, '^/user-profile-sso')}",
"heap": [
{
"name": "SystemAndEnvSecretStore-1",
"type": "SystemAndEnvSecretStore"
},
{
"name": "AmService-1",
"type": "AmService",
"config": {
"url": "http://am.example.com:8088/openam",
"realm": "/",
"version": "7.2",
"agent": {
"username": "ig_agent",
"passwordSecretId": "agent.secret.id"
},
"secretsProvider": "SystemAndEnvSecretStore-1",
"amHandler": "ForgeRockClientHandler"
}
}
],
"handler": {
"type": "Chain",
"config": {
"filters": [
{
"name": "SingleSignOnFilter",
"type": "SingleSignOnFilter",
"config": {
"amService": "AmService-1"
}
},
{
"name": "UserProfileFilter-1",
"type": "UserProfileFilter",
"config": {
"username": "${contexts.ssoToken.info.uid}",
"userProfileService": {
"type": "UserProfileService",
"config": {
"amService": "AmService-1",
"profileAttributes": [ "employeeNumber", "mail" ]
}
}
}
}
],
"handler": {
"type": "StaticResponseHandler",
"config": {
"status": 200,
"headers": {
"Content-Type": [ "text/html; charset=UTF-8" ]
},
"entity": "username: ${contexts.userProfile.username}
rawInfo: ${contexts.userProfile.rawInfo}"
}
}
}
}
}
```
3. Test the setup:
1. Go to .
2. Log in to AM with username `demo` and password `Ch4ng31t`.
The UserProfileFilter retrieves the user's profile data and stores it in the UserProfileContext. The StaticResponseHandler displays the username and the profile data that is available in `rawInfo`:
```
username: demo
rawInfo: {_id=demo, _rev=273001616, employeeNumber=[123], mail=[demo@example.com], username=demo}
```
## Retrieve a username from the sessionInfo context
In this example, the UserProfileFilter retrieves AM profile information for the user identified by the SessionInfoContext, at `${contexts.amSession.username}`. The SessionInfoFilter validates an SSO token without redirecting the request to an authentication page.
1. Set up AM:
1. Select Applications > Agents > Identity Gateway, and add an agent with the following values:
* Agent ID: `ig_agent`
* Password: `password`
For AM 6.5.x and earlier versions, set up an agent as described in [Set up an IG agent in AM 6.5 and earlier](preface.html#setup-agent-65).
2. Set up IG:
1. Set an environment variable for the IG agent password, and then restart IG:
```bash
$ export AGENT_SECRET_ID='cGFzc3dvcmQ='
```
The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.
2. Add the following route to IG:
* Linux
* Windows
```
$HOME/.openig/config/routes/user-profile-ses-info.json
```
```
%appdata%\OpenIG\config\routes\user-profile-ses-info.json
```
```json
{
"name": "user-profile-ses-info",
"condition": "${find(request.uri.path, '^/user-profile-ses-info')}",
"heap": [
{
"name": "SystemAndEnvSecretStore-1",
"type": "SystemAndEnvSecretStore"
},
{
"name": "AmService-1",
"type": "AmService",
"config": {
"url": "http://am.example.com:8088/openam",
"realm": "/",
"version": "7.2",
"agent": {
"username": "ig_agent",
"passwordSecretId": "agent.secret.id"
},
"secretsProvider": "SystemAndEnvSecretStore-1",
"amHandler": "ForgeRockClientHandler"
}
}
],
"handler": {
"type": "Chain",
"capture": "all",
"config": {
"filters": [
{
"name": "SessionInfoFilter-1",
"type": "SessionInfoFilter",
"config": {
"amService": "AmService-1"
}
},
{
"name": "UserProfileFilter-1",
"type": "UserProfileFilter",
"config": {
"username": "${contexts.amSession.username}",
"userProfileService": {
"type": "UserProfileService",
"config": {
"amService": "AmService-1",
"profileAttributes": [ "employeeNumber", "mail" ]
}
}
}
}
],
"handler": {
"type": "StaticResponseHandler",
"config": {
"status": 200,
"headers": {
"Content-Type": [ "application/json" ]
},
"entity": "{ \"username\": \"${contexts.userProfile.username}\", \"user_profile\": ${contexts.userProfile.asJsonValue()} }"
}
}
}
}
}
```
3. Test the setup:
1. In a terminal window, retrieve an SSO token:
```bash
$ curl --request POST \
--url http://am.example.com:8088/openam/json/realms/root/authenticate \
--header 'accept-api-version: resource=2.0' \
--header 'content-type: application/json' \
--header 'x-openam-username: demo' \
--header 'x-openam-password: Ch4ng31t' \
--data '{}'
{"tokenId":"AQIC5wM2LY . . . Dg5AAJTMQAA*","successUrl":"/openam/console"}
```
2. Access the route, providing the token ID retrieved in the previous step, where iPlanetDirectoryPro is the name of the AM session cookie:
```bash
$ curl --cookie 'iPlanetDirectoryPro=tokenID' http://ig.example.com:8080/user-profile-ses-info | jq .
{
"username": "demo",
"user_profile": {
"_id": "demo",
"_rev": "123...456",
"employeeNumber": ["123"],
"mail": ["demo@example.com"],
"username": "demo"
}
}
```
To find the name of your AM session cookie, see [Find the name of your AM session cookie](preface.html#am-session-cookie).
The UserProfileFilter retrieves the user's profile data and stores it in the UserProfileContext. The StaticResponseHandler displays the username and the profile data that is available in `asJsonValue()`.
## Retrieving a username from the OAuth2Context
In this example, the OAuth2ResourceServerFilter validates a request containing an OAuth 2.0 access token, using the introspection endpoint, and injects the token into the OAuth2Context context. The UserProfileFilter retrieves AM profile information for the user identified by this context.
1. Set up AM as described in [Validate access tokens through the introspection endpoint](oauth2-rs.html#oauth2-rs-introspect).
2. Set up IG:
1. Set an environment variable for the IG agent password, and then restart IG:
```bash
$ export AGENT_SECRET_ID='cGFzc3dvcmQ='
```
The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.
2. Add the following route to IG:
* Linux
* Windows
```
$HOME/.openig/config/routes/user-profile-oauth.json
```
```
%appdata%\OpenIG\config\routes\user-profile-oauth.json
```
```json
{
"name": "user-profile-oauth",
"baseURI": "http://app.example.com:8081",
"condition": "${find(request.uri.path, '^/user-profile-oauth')}",
"heap": [
{
"name": "SystemAndEnvSecretStore-1",
"type": "SystemAndEnvSecretStore"
},
{
"name": "AmService-1",
"type": "AmService",
"config": {
"url": "http://am.example.com:8088/openam",
"realm": "/",
"version": "7.2",
"agent": {
"username": "ig_agent",
"passwordSecretId": "agent.secret.id"
},
"secretsProvider": "SystemAndEnvSecretStore-1",
"amHandler": "ForgeRockClientHandler"
}
}
],
"handler": {
"type": "Chain",
"config": {
"filters": [
{
"name": "OAuth2ResourceServerFilter-1",
"type": "OAuth2ResourceServerFilter",
"config": {
"scopes": [
"mail",
"employeenumber"
],
"requireHttps": false,
"realm": "OpenIG",
"accessTokenResolver": {
"name": "token-resolver-1",
"type": "TokenIntrospectionAccessTokenResolver",
"config": {
"amService": "AmService-1",
"providerHandler": {
"type": "Chain",
"config": {
"filters": [
{
"type": "HttpBasicAuthenticationClientFilter",
"config": {
"username": "ig_agent",
"passwordSecretId": "agent.secret.id",
"secretsProvider": "SystemAndEnvSecretStore-1"
}
}
],
"handler": "ForgeRockClientHandler"
}
}
}
}
}
},
{
"name": "UserProfileFilter-1",
"type": "UserProfileFilter",
"config": {
"username": "${contexts.oauth2.accessToken.info.sub}",
"userProfileService": {
"type": "UserProfileService",
"config": {
"amService": "AmService-1",
"profileAttributes": [ "employeeNumber", "mail" ]
}
}
}
}
],
"handler": {
"type": "StaticResponseHandler",
"config": {
"status": 200,
"headers": {
"Content-Type": [ "application/json" ]
},
"entity": "{ \"username\": \"${contexts.userProfile.username}\", \"user_profile\": ${contexts.userProfile.asJsonValue()} }"
}
}
}
}
}
```
3. Test the setup:
1. In a terminal window, use a `curl` command similar to the following to retrieve an access token:
```
$ mytoken=$(curl -s \
--user "client-application:password" \
--data "grant_type=password&username=demo&password=Ch4ng31t&scope=mail%20employeenumber" \
http://am.example.com:8088/openam/oauth2/access_token | jq -r ".access_token")
```
2. Validate the access token returned in the previous step:
```
$ curl -v http://ig.example.com:8080/user-profile-oauth --header "Authorization: Bearer ${mytoken}" | jq .**
{
"username": "demo",
"user_profile": {
"_id": "demo",
"_rev": "123…456",
"employeeNumber": ["123"],
"mail": ["demo@example.com"],
"username": "demo"
}
}
```
The UserProfileFilter retrieves the user's profile data and stores it in the UserProfileContext. The StaticResponseHandler displays the username and the profile data that is available in `asJsonValue()`.