Method based custom group in CID for internal access control
If application wants to provide special rights based on authentication method chosen by user while logging in, then we need to have custom group name for configuration in permissions.properties.
In this case, SSO sends information about the authentication method selected by user to CID which is end application and CID can then decide if there are some privileges/restrictions needs to be applied to the user based on authentication method selected.
For CID to provide such permissions to particular users based on authentication method selected, we need to create custom group that can be configured in permissions properties.
Below are the steps for configuration of method based custom group for CID
For authentication methods that want to grant special rights to logged-in users, attribute Mapping link must be created, which adds the methods with the attribute “OTPUser” (This would be name of the custom group).
More details on Attribute Mapping : https://ubisecuredev.atlassian.net/l/c/8YtHmgLVGo to SSO Management → Attribute Mapping → Create new Mapping
Main Tab → Name : AddOTPUser
Attributes Tab → precondition can be empty , Attribute name : group , Attribute value : OTPUser
methods Tab → select authentication method which wants to grant special rightsGo to eIDM Services -> authorization policies -> eidm2.policy -> attributes
For the attribute “group” click on new value -> select the group eIDM Groups / eIDMUser.
In the value field of the new value row add “method: group” as shown in below screenshot
All logged in methods selected in step 1 now also have the group attribute value OTPUser.
You can verify in DEBUG logs that group name is being passed correctly as below :2022-04-25 13:12:18,319 authz name=group, value=method:group, expr=${method["group"]}, result=OTPUserIn the customerID permission.properties newly created custom group , grp: OTPUser can be used to restrict/provide permissions where necessary.
