Cumulocity IoT Feedback Portal
Add new feedback Subscribe
Status Likely to support/improve
Workspace Cumulocity IoT Platform Services
Categories Authentication & Authorisation
Created by Guest
Created on Oct 30, 2020

RELATED FEEDBACK

Map ID Token Parameters in SSO configuration

In the current SSO configuration in C8Y it is only possible to map the user ID claim from the Access token. The first issue is that if the user ID is not a human readable value, then in the C8Y header menu where the user name is displayed, the non-human readable value is displayed. he second issue is that the C8Y user profile cannot be manually updated with first name and last name since it is managed by the external identity provider.

To solve this issue, it should be possible in the C8Y SSO configuration to allow mapping further user information such as e.g. first name, last name, phone number and email address from the ID Token as it is defined in OpenID Connect, an extension on top of OAuth 2.

  • Attach files
  • Admin
    Jane Porter
    Reply
    |     May 15, 2023

    Access token mapping has been implemented, however not ID tokens; hence this has been moved back to Likely to implement.

    Info from Josh Hooks: PoC to try and integrate AWS Cognito SSO with Cumulocity. This is something Industrial Scientific has been wanting to do.

    As far as I can tell, Cognito does not allow us to return profile information (first name, last name, etc.) in the access token. Like many other IDPs, they use the access token to give you additional credentials that you can use to call an ID token endpoint to get profile info. Unlike other IDPs, they do not allow custom claims where you can force the profile information into the access token, which is how I got Okta to work.

    Seems like most of the IDP apps are going towards this ID token approach. Curious to see if we’ve planned any changes to support it. I know you mentioned something about it a while back but not sure if it’s directly related to development we’ve done.

  • Admin
    Nikolaus Neuerburg
    Reply
    |     Nov 4, 2020

    Thanks for the quick feedback Mathias!

  • Guest
    Reply
    |     Nov 3, 2020

    Hi Nikolaus,

    Sure, it would be a workaround if each user could update his user details such as first name, last name, email address and phone number in his user profile manually. The mapping based on ID Token claims would of course be ideal.

    Many thanks
    Mathias

  • Admin
    Nikolaus Neuerburg
    Reply
    |     Nov 3, 2020

    Hi Mathias, thanks for the feedback. We are currently discussing this with Tobias and the R&D team. One question: Would the ability to manually update further information help you already (without the ability to configure the mapping based on the token properties)?