Configure multiple subjectMapping in authentication.json

KaranNayyar1 · April 23, 2024, 8:48am

Can we have multiple subjectmapping in authentication.json file. Error is thrown for below configuration of the authentication.json file.

"subjectMapping" : [
            {
                "resourceTypeMapping" : {
                    "usr" : "managed/user"
                },
                "propertyMapping" : {
                    "sub" : "_id"
                },
                "userRoles" : "authzRoles/*",
                "additionalUserFields" : [
                    "adminOfOrg",
                    "ownerOfOrg"
                ],
                "defaultRoles" : [
                    "internal/role/openidm-authorized"
                ]
            },
			{
                "resourceTypeMapping" : {
                    "usr" : "managed/user"
                },
                "propertyMapping" : {
                    "sub" : "userName"
                },
                "userRoles" : "authzRoles/*",
                "additionalUserFields" : [
                    "adminOfOrg",
                    "ownerOfOrg"
                ],
                "defaultRoles" : [
                    "internal/role/openidm-authorized"
                ]
            }
        ]

Error Reported: rsfilter contains ambiguous subjectmappings

mwtech · April 23, 2024, 4:35pm

@KaranNayyar1 I can’t find any specific documentation that explicitly states that you must use unique resourceTypeMapping values, but looking at this configuration how would you expect IDM to know which property to map to the sub claim?

What is the overall problem you are trying to solve?

mtuhin · April 23, 2024, 7:40pm

Are these multiple ‘subjectmapping’ corresponding to multiple realms in AM? If yes, you need to add the ‘realm’ property in each of the ‘subjectmapping’.

For details, check the relevant IDM doc: Authenticate through AM :: IDM 7.5.0

KaranNayyar1 · April 24, 2024, 6:54am

The access token when introspected has a sub format in (usr!userName) format. I am expecting IDM to iterate through the array of subjectMapping and map it to the apprpriate mapping found. In this case,below

"propertyMapping" : {
                    "sub" : "userName"
                },

mwtech · April 24, 2024, 2:13pm

Do you need this mapping for the root realm? As @mtuhin pointed out, you can use the realm property to specify the realm for which this mapping will apply.

From the documentation:

You cannot have more than one mapping for the same realm, and you cannot have more than one mapping that has no realm in the configuration.