ADAP External Token Validators
External token validators allow applications to use an access token to call an API on behalf of itself. The API then responds with the requested data. This section assumes that your OIDC provider is already set up.
The processes described in this section are not hardened against security risks. For more information on hardening RadiantOne, refer to the RadiantOne Hardening Guide.
Getting an Access Token
This section describes using the Postman REST client to obtain an access token.
- Start a new request.
- Click the Auth tab.
- From the Type drop down menu, select OAuth 2.0. The Current Token section displays.
Figure 21: The Type drop-down menu
In the Configure New Token section, enter the Client ID and client secret.Note
These values were created during the OIDC provider configuration process.
Provide the access token URL.Note
This value can be found using the using the metadata URL from the Authorization Server.
Figure 22: Configuring an access token in Postman
- Click Get New Access Token. The new access token's details are displayed.
Figure 23: The Token Details section in Postman
Copy this token and decode it for the values needed by the FID server. You can do this at https://jwt.io/.
Keep the decoded token. Several values contained within are required for mapping attributes.
This section describes configuring proxy authorization, configuring an ADAP external token validator, and attribute mapping.
Configuring Proxy Authorization
The RadiantOne ADAP (or SCIM) service queries the RadiantOne FID LDAP service using proxy authorization.
To configure proxy authorization:
In the Main Control Panel, navigate to Settings > Server Front End > Supported Controls.
Enable Proxy Authorization and click Save.
Navigate to Settings > Security > Access Control.
Enable the “Allow Directory Manager to impersonate other users” option and click Save.
Configuring ADAP External Token Validator
To add an external token validator:
In the Main Control Panel, navigate to Settings > Security > External Token Validators.
Click Add. The New ADAP External Token Validator page displays.
Figure 24: The New ADAP External Token Validator Page
Name the external token validator.
Toggle the Enable switch to On.
Select an OIDC provider from the drop-down menu.
Paste the Metadata URI from your OIDC authorization server into the Discovery URL field.
Click Discover. The JSON Web Key Set URI auto-populates.
Use the Expected Audience from your OIDC client to populate the Expected Audience field.
Other values can be obtained from the decoded access token. See the Getting An Access Token section for more information.
Figure 25: Configuring an ADAP External Token Validator
Click Edit next to Claims to FID User Mapping. The OIDC to FID User Mappings page displays.
Define either a search expression or a simple DN Expression. In this example, a search expression is defined as shown below.
Figure 26: Editing OIDC to FID User Mapping
Click OK. Click OK again to close the OIDC to FID User Mappings window.
Map a uniquely identifying attribute to a corresponding claim value in the token (refer to the Getting An Access Token section for more information). In the following image, the attribute mail is mapped to the claim value email.
In some cases, creating a new attribute may be required.
Figure 27: The Search Expression Builder
Completing the Request with Postman
To complete the request with Postman:
- Request a new access token (see Getting An Access Token).
- Click Use Token. This inserts an Authorization header that inserts your bearer token.
Figure 28: Requesting a new access token
- Send the bearer token to the FID ADAP. In this example, a basic ADAP search is performed.
Figure 29: Sending the bearer token to RadiantOne