How to Retrieve User ID in Redirected Website After Successful OpenAM Login

anees.am · July 27, 2024, 10:44am

Hello,

I am currently setting up OpenAM 7.4.0 with OpenDJ as the data store. I’ve configured rest2ldap and can create users in OpenDJ using REST APIs and successfully log into these users from OpenAM. I have set up a redirection to another website upon successful login in OpenAM. However, I need assistance with retrieving the user ID in the redirected website. Additionally, I need help specifying the group name to which a user should be mapped during user creation via the REST API.

Question 1:

Upon successful login in OpenAM, I am redirecting the user to another website. For this, I have configured the success URL under realm->Authentication->Chains->ldapService, and the redirection works perfectly.

Now, I want to know the user ID in my redirected website for the currently logged-in user in OpenAM. How can I achieve this?

Question 2:

This is the curl command I am using to create a user in OpenDJ:

curl \
 --request PUT \
 --user admin:password \
 --header "Content-Type: application/json" \
 --header "If-None-Match: *" \
 --data '{
  "_id": "testuser4",
  "_schema": "frapi:opendj:rest2ldap:user:1.0",
  "contactInformation": {
    "telephoneNumber": "+1 408 555 1212",
    "emailAddress": "testuser4@example.com"
  },
  "name": {
    "familyName": "Test",
    "givenName": "User"
  },
  "displayName": ["Test User"],
  "manager": {
    "_id": "admin",
    "displayName": "admin"
  }
 }' \
 --cacert server-cert.pem \
 https://opendj.example.com:8443/api/users/testuser4?_prettyPrint=true

How can I specify the group name to which the user should be mapped during the user creation process using this curl command?

Thanks in advance
Anees

mwtech · July 29, 2024, 6:11pm

Hi @anees.am

Question 1: How is this other website enforcing the presence of an AM session? Are you using IG? An AM web agent? The method by which you are protecting the website and enforcing the need for an AM session will drive the answer to your question.

Question 2: You will need to make a separate call to the API, using the groups resource instead of the users resource. This is due to the fact that the relationship between a group and its members is done at the group level. The API can be used on the users resource to read which groups a user is part of, but this is a readonly attribute.

patrick_diligent · July 29, 2024, 11:28pm

To add on @mwtech great answer there is another question: what kind of groups are we talking about? Be careful in accessing a static group directly where there are a lot of members, it could be a performance hit. Ensure that caching is properly tuned in this case. You can always access the user’s group via the `memberOf`` attribute. Especially for dynamic groups, accessing a dynamic group entry will not show the list of members.