We are trying to accomplish the following:
We have external systems that are accessed via the REST APIs that contain certain data that we need to release inside SAML assertion. We are not allowed to have this data inside ForgeRock as an attribute for various reasons, and require to obtain that data by querying our external system via REST API.
For OAuth integration ForgeRock provides a script that contains an HTTPClient which allows us to perform REST API calls before releasing information inside id_token however with SAML there is no such script that can be triggered (or at least there is no sample provided).
In short, what we want to do is to trigger and REST call to external system and provide that information inside SAML assertion, is there a way to accomplish this?
It sounds to me like you are looking for this:
https://backstage.forgerock.com/docs/am/7.4/saml2-guide/plugins-idp-attribute-mapper.html#scripted_implementation
So i did implement idp-attribute-mapper.js script as show in the provided doc and everything works as expected from the ability to inject custom attribute into SAML assertion, however now what i need in this script is to call external system via REST API, typically httpClient would be available in similar scripts such as OAuth Access Token Modification Script. However inside idp-attribute-mapper.js they don’t provide that example. I tried various methods to import httpClient in this script but with no luck.
Would you happen to have an example of how to import httpClient inside idp-attribute-mapper.js
Here is their script template reference
https://backstage.forgerock.com/docs/idcloud/latest/am-scripting/sample-scripts.html#saml2-idp-attribute-mapper-js
Thank you!
For those who may encounter similar issue where they need to pass external system attribute to SAML assertion, this can be handled by injecting it inside authentication Journey and set the session attribute there. Session variable is available inside Saml2-Attribute-Mapper.js you can extract and add attribute from session and then pass it to SAML assertion. Since httpClient is available inside authentication Journey you can query attribute there.