SAML Populate Lambda add user group names

hthornton · 29 Oct 2021, 15:07

How would I go about constructing a lamdba to add a list of groups a user belongs to to the samlResponse.assertion?

hthornton · 29 Oct 2021, 15:16

I've figured out how to get the groupids in the response but not translate them into group names.

joshua · 2 Nov 2021, 18:09

I don't believe this is currently possible.

You typically would have to hard code any values to be translated in a populate lambda (for instance). You could add (hard code) a map or hash of sorts that would translate for you. This would be some integration code in the lambda that says:

Hash.new = {
<group_id_uuid> = <group_name>
}

jwt.group_name = Hash[group_id_uuid]

this is obviously pseudo code, but this may be an option (have not tested).

We have a few open issues related to extending the functionality of lambdas you could upvote as well

Another option would be to add more integration code that calls from your app to fusionauth to get the common_group_name based on the groupId. So if you have a user that gets authenticated, you would translate the groupId at a later time by calling this API endpoint from your app.

https://fusionauth.io/docs/v1/tech/apis/groups/#retrieve-a-group

This may present its own challenges but thought I would mention it as well.

Best of luck; hope this helps!

Thanks,
Josh

hthornton · 3 Nov 2021, 00:15

@joshua
Thanks. I've up-voted a few of those open issues.

Since I'm trying to make this work for a COTS application I don't have the luxury of injecting another API call.

For now I'm pretending that the groupId being returned is the LDAP distiguished name for the group (I prefixed it in the Lambda with dn=). Then I can trick the application to looking up the group by the LDAP dn instead of name.