Sample JavaScripts with Examples

The following section provides sample JavaScripts with examples. These are used in the Virtual Attributes section.

Example 1:

Consider a scenario where a service provider wants to append PID with an attribute partnerId. For example: PID: P1.

To achieve this, fetch a user’s partnerId by using their existing “givenName” LDAP attribute (available from the logged in user store) from the external LDAP repository. Now, add a string “PID:” to it. Later, send the value in web servers through the Identity injection policy.

Solution: The solution is as follow:

Creating a Data Source:

  1. Configure an LDAP data source with name “dsLdap”. Specify the connection properties. Test the connection.

  2. Import the secure LDAP certificate to Identity Server trust store using the create Data Source screen.

  3. Click Update All to update Identity Servers.

Creating an Attribute Source:

  1. Click Devices > Identity Server > Shared Settings > Virtual Attributes > Attribute Source. Create an attribute source with name “dsLdapAttrSrc”.

  2. Select data source name “dsLdap”.

  3. Add input parameter %P1%. Map it to the LDAP attribute: givenName.

  4. Add a Filter: name=%P1%.

  5. Add output parameter: partnerID

  6. Test Filter: Test the input values.

Creating a Virtual Attribute:

  1. Click Devices > Identity Server > Shared Settings > Virtual Attributes > Virtual Attribute. Create a virtual attribute with name “partnerID”.

  2. Add input parameter P1. Map it to dsLdapAttrSrc:partnerID (the attribute source that you created in Step 1 of the creating an Attribute Source section).

  3. In Step 2: Provide query and output parameters, specify the following script:

    function main(P1){
       return "PID:"+P1;
    }
  4. Test the script. The results return: PID: P1. For example, if partnerID=part123, then, the test result is PID:part123.

  5. Update Identity Server.

  6. Use it in the Identity injection policy.

Example 2:

Consider a scenario where the authenticated user, named Carlos, is a manager and has administrator rights to a protected human resource application. When Carlos accesses this application, his roles must be passed to the application.

In this scenario, Carlos has a local LDAP attribute isManager and has roles of a recruiter and an employee. He also has a local LDAP attribute groupmembership, which contains the string admins (for example, adminsRecruitmentDep, adminsPoliciesDep).

Solution: Create a virtual attribute, App1Admin.

  1. In Step1: Provide input parameters, select the following input parameters:

    • P1: is mapped to LDAP attribute isManager

    • P2: is mapped to LDAP attribute groupmembership

    • P3: is mapped to LDAP attribute role value

  2. Use the following code in Step 2: Provide a modification function > Advanced Javascript:

    function main(P1, P2, P3){
         if(P1 == 'true' && (/admins/i.test(P2) == true)){
           return P3;
         }else{
           return 'NA';
         }  
    }
  3. To test JavaScript, click + and add multiple test values. Specify the following test values:

    • P1: true

    • P2: adminsRecruitmentDep

    • P3: recruiter,employee

    Output: The output is a multi-valued virtual attribute recruiter,employee.

In the function, /admins/i.test(P2) == true, /admins/i is a regular expression and test is a JavaScript in-built function. This function tests the regular expression in the string passed as the input parameter. The function returns true if the string contains the required pattern.

Example 3:

Consider a scenario where an Access Manager user wants to access Amazon Web Services (AWS). AWS has multiple roles and each AWS role can have various access rights or policies assigned to it. Based on the level of access, you can access authorized Amazon services. This information about roles must be sent dynamically by Access Manager to AWS to provide single sign-on to the Access Manager user.

For more information about AWS configuration, see Integrating Amazon Web Services with Access Manager.

In this scenario, you have a constant value created using <Role ARN, Trusted SAML Provider ARN> mapped to Remote AWS attribute Role (this value is the AWS format).

Suppose you have configured the admin and finance roles in AWS. The following are role ARNs:

  • For admin: arn:aws:iam::638116851885:role/admin

  • For finance: arn:aws:iam::638116851885:role/finance

For admin role, send the following: arn:aws:iam::638116851885:role/admin,arn:aws:iam::638116851885:saml-provider/NAMIDP

For finance role, send the following: arn:aws:iam::638116851885:role/finance,arn:aws:iam::638116851885:saml-provider/NAMIDP

In this example, to dynamically generate the AWS role, use the LDAP attribute Department Name in the user store. For the admin user, the department name is admin. For the finance user, the department name is finance. To make department name available as an LDAP attribute, ensure that you enable personal profile. Click Identity Servers > Edit > Liberty > Web Service Provider.

Solution: Create a virtual attribute with the following information:

When the user logs in, the department name (finance) is fetched for the respective user and appended with the constant value of the role ARN. This value is then concatenated with the trusted SAML provider ARN in the following format: arn:aws:iam::638116851885:role/admin,arn:aws:iam::638116851885:saml-provider/NAMIDP

Map this virtual attribute with the AWS Remote Attribute role.

  1. In Step1: Provide input parameters, select P1 parameter value as Department Name (Personal Profile).

  2. Use the following code in Step 2: Provide a modification function > Advanced Javascript:

    function main(P1){
       var role_arn='arn:aws:iam::638116851885:role/'
       var provider_arn=',arn:aws:iam::638116851885:saml-provider/MyIDP_184-142';
       var aws_role;
       aws_role = role_arn+P1+provider_arn;
       return aws_role;
    }
  3. To test JavaScript, click the + and add multiple test values. Specify the test value of P1: finance.

    Output: arn:aws:iam::638116851885:role/finance,arn:aws:iam::638116851885:saml-provider/NAMIDP.

Example 4:

You want to send the groups associated with the user to a service provider named cloudsp. However, you want to send only the groups relevant to that service, and not the complete group DN. Check for a function that checks if the group cn starts with “cloudsp”. If available, send it to the group cn.

In this scenario, the cn of the groups relevant to cloudsp start with “cloudsp”. For example, "cn=cloudspa,ou=group,o=mycompany". So, when a cloudsp user authenticates at Identity Server, you need to extract all cn values from the local LDAP attribute groupMembership and filter only those names starting with cloudsp and send it in assertion to cloudsp.

Solution:

  1. In Step1: Provide input parameters, select P1 as an attribute which has the groups.

  2. Use the following code in Step 2: Provide a modification function > Advanced Javascript:

    function main( P1 ){
          return mapGroups(P1);
    }
    
    function mapGroups(attribute){
        var result = [];
          if(attribute instanceof Array){
            var j =0;
            for(var i=0; i<attribute.length; i++){
                var grp = checkGroup(attribute[i]);
                if( grp != 'NA')
                   result[j++] = grp;
                 }
        }else{
                var grp = checkGroup(attribute);
            if( grp != 'NA')
                      result[0] = grp;
        }
          return result;
    }
    
    function checkGroup(group){
        if(/^cn=cloudsp.*,/.test(group) == true){
            var startindex = 3;// it starts with cn
            var endindex = group.indexOf(",");
            return group.substring( startindex, endindex);
         }else
            return 'NA';
    }
  3. To test JavaScript, click the + and add multiple test values. Specify the test values:

    cn=cloudspgroupa,ou=group,o=mycompany cn=cloudspgroupb,ou=group,o=mycompany cn=cloudspgroupk,ou=group,o=mycompany

    cn=testgroupa,ou=group,o=mycompany

    Output:

    cloudspgroupa
    cloudspgroupb
    cloudspgroupk

Explanation:

The JavaScript in-built string function substring is used to extract the cn value from the group./^cn=cloudsp.*,/.test(group) is a regular expression which matches a string that starts with cloudsp. It has 0 or more characters followed by a comma (,).

Example 5:

(Utility Function Reuse) Consider a scenario where the Identity Server roles are in the format companyX:rolename. A service provider abc wants the roles in the rolename format and in upper case.

To achieve this, remove 'companyX:' from each role and convert each of them into upper case for sending them to the protected web server. Each role is specified as companyX:rolename.

For example, companyX:admin, companyX:guest.

Solution:

  1. In Step 1: Provide input parameters, select P1: All Roles.

  2. Use the following code in the Step 2: Provide a modification function > Advanced Javascript:

    Copy the JavaScript from the following pre-defined functions: Remove Substring and To upperCase.

    Remove Substring function:

    function findReplace(attribute, findString, replaceString){
          var result;
        if(attribute instanceof Array){
                 result = [];
             for(var i=0; i<attribute.length; i++){
                       result[i] =attribute[i].split(findString).join(replaceString);
             }
          }else{
             result = attribute.split(findString).join(replaceString);
          }
        return result;
    }

    To upperCase function:

    function convertToUpperCase (attribute){
          var result ;
        if(attribute instanceof Array){
                result = [];
            for(var i=0; i<attribute.length; i++)
                      result[i] = attribute[i].toUpperCase();
        }else{
                  result = attribute.toUpperCase();
        }
        return result;
    }

    Now, customize the code. In Substring to remove for findReplace (), specify companyX:

    function main(P1){
        return convertToUpperCase(findReplace (P1, 'CompanyX:'));
    }
    
    function findReplace(attribute, findString, replaceString){
        var result ;
          if(attribute instanceof Array){
            result = [];
                for(var i=0; i<attribute.length; i++){
                result[i] =attribute[i].split(findString).join(replaceString);
                }
        }else{
                result = attribute.split(findString).join(replaceString);
        }
          return result;
    }
    
    function convertToUpperCase (attribute){
        var result;
          if(attribute instanceof Array){
            result = [];
                for(var i=0; i<attribute.length; i++)
                result[i] = attribute[i].toUpperCase();
            }else{
            result = attribute.toUpperCase();
          }
        return result;
    }
    
  3. To test JavaScript, add the test values in P1: 'companyX:admin', 'companyX:guest'.Output: ADMIN, GUEST.

Example 6:

Consider a scenario where you do not want to modify an attribute value that is retrieved from an external source. To send the same attribute value in the assertion to a federated provider or in a policies, perform the following steps:

  1. Click Devices > Identity Server > Shared Settings > Virtual Attributes > Virtual Attribute.

  2. In Step1: Provide input parameters, select P1, and map it to an attribute retrieved from an external source.

  3. In Step 2: Provide a modification function, select Advanced JavaScript, and specify the following script:

    function main(P1){
        return P1;
    }
  4. Test the script. The results returns the value of the attribute source specified as P1.

  5. Update Identity Server.