PingAuthorize

Changing the default JWT claim for the OIDC user ID

Change the sub JSON Web Token (JWT) claim for the OpenID Connect (OIDC) user ID under the options.yml file’s core section.

By default, when a user signs on to the Policy Editor with OIDC, the Policy Editor uses the sub JWT claim to:

  • Extract the sub claim value from the ID token and:

    • Record the sub claim value in the Creator column of the Commits table when the user makes commits (see Branch Manager > Version Control).

  • Make a request to the UserInfo endpoint and:

    • Use the sub claim value from the response as the user data.

    • Display the user data in the upper-right corner of the Policy Editor.

If your organization wants to use a non-default claim for the OIDC user ID, such as email, define this claim by completing the following steps.

You must configure your OIDC provider to include the claim in both the UserInfo endpoint and the ID token for the name to display. Refer to your OIDC provider’s documentation for instructions.

Steps

  1. Make a copy of the default options file:

    $ cp config/options.yml my-options.yml

  2. In the core section of the new options file, uncomment the example Authentication.oidcUserIdField field that uses the email claim:

    core:
  # Use a JWT claim other than "sub" for the OIDC User ID.
  #
  # Authentication.oidcUserIdField: jwt_claim
  #
  Authentication.oidcUserIdField: "email"

    1. (Optional): Update the email claim to your organization’s preferred claim.

  3. Stop the Policy Editor:

    $ bin/stop-server

  4. Run setup using the --optionsFile argument and customize all other options to meet your needs:

    $ bin/setup demo \
  --adminUsername admin \
  --generateSelfSignedCertificate \
  --decisionPointSharedSecret pingauthorize \
  --hostname <pap-hostname>  \
  --port <pap-port>  \
  --adminPort <admin-port>  \
  --licenseKeyFile <path-to-license>  \
  --optionsFile my-options.yml

  5. Start the Policy Editor:

    $ bin/start-server

  6. In the Policy Editor, go to Branch Manager > Version Control and commit a policy change.

  7. Verify that your claim is being used:

    1. Select any branch and verify that the new claim value appears in the upper-right corner of the Policy Editor.

    2. Verify that the new claim value appears in the Creator column of the Commits table for the commit you made in step 6.