In Identity Panel and Service Panel/Access Panel user interfaces there may be elements e.g. dashboards, navigation links etc only visible to users in certain roles. Role configuration and assignment of audience rules are topics covered elsewhere, this article will demonstrate a couple of ways to debug the roles Identity Panel detects for a user.
Rule Tester
If the user has access to the Rule Tester, using the UserClaims() function will show the claims a returned by the authentication source. The Value Rule is entered without needing to select a Data Type in the dropdown.
Data returned varies between authentication sources and what attributes they are configured to return in the claim. The "groups" returned may be GUIs or strings depending on the setup.
// sample 1 (OIDC)
{
"aio": "...",
"http://schemas.microsoft.com/claims/authnmethodsreferences": [
"rsa",
"mfa"
],
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Nugent",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "Penelope",
"groups": [
"c718eae2-4af5-414c-84e4-b6764aeb98a7",
"7dd97d1f-d922-4f98-9e88-3017213c6486"
],
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": [
"Nugent, Penelope",
"penelope.nugent@acmecorp.com"
],
"http://schemas.microsoft.com/identity/claims/objectidentifier": "92ab97d0-e155-46a2-8dc1-9ae2afc8b16a",
"rh": "1.AQcAhjXcxzShAkGa2q3497asnWVtAp3ZAWbUijo__AL0HAA.",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "DASDDFG3465kIh3ZJL1At5SoX84IScAI6nCzyX8RF3-SzgU",
"http://schemas.microsoft.com/identity/claims/tenantid": "76cfe2a3-2428-4ab3-b1d2-8615fdba9636",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "penelope.nugent@acmecorp.com",
"uti": "tHl1wG--pU6qWtSDFS897QTAQ",
"http://schemas.identitypanel.com/identity/claims/authmethod": "OIDC"
}
// sample 2 (SAML)
{
"http://schemas.microsoft.com/identity/claims/tenantid": "d60e1331-5b2f-4206-9b56-b0822a4a7fdc",
"http://schemas.identitypanel.com/identity/claims/authmethod": "SAML",
"http://schemas.identitypanel.com/identity/claims/samlpartner": "http://acmecorp.saml.com/gheeevapheHlb1vtm873",
"http://schemas.microsoft.com/identity/claims/objectidentifier": "penelope.nugent@acmecorp.com",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "penelope.nugent@acmecorp.com",
"groups": [
"identitypanel-admin-portal",
"identitypanel-user-portal"
]
}
// sample 3 (OIDC)
{
"aio": "...",
"http://schemas.microsoft.com/claims/authnmethodsreferences": [
"pwd",
"mfa"
],
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Nugent",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "Penelope",
"groups": [
"e3021dbc-1011-4506-821f-7147299b5c3e",
"c800cea8-cdd6-4273-b2c7-e9a6ff139e62",
"93778949-602e-45b4-b845-1e19d579e96b"
],
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": [
"Penelope Nugent",
"pnugent@acmecorp.com"
],
"http://schemas.microsoft.com/identity/claims/objectidentifier": "8cf52fe0-78fa-45c8-943e-5998aeb19ae6",
"pwd_exp": "543071",
"pwd_url": "https://portal.microsoftonline.com/ChangePassword.aspx",
"rh": "1.AUgAR3OjrrpQIE2GgUfq7fqx-Jw5R8FlvkZFhOIfJd9Ezq0LAXxIAA.",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "Z-8fBZjA50mwwrfLRtdBAcHan4xDKtzo2BVvRA_DqsM",
"http://schemas.microsoft.com/identity/claims/tenantid": "47294838-9be2-4308-be5c-edf353eb3385",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "pugent@acmecorp.com",
"uti": "EMVtaQjrxUyoAv3o0_SgCC",
"http://schemas.identitypanel.com/identity/claims/authmethod": "OIDC"
}
Developer Tools (Browser)
Review via the Rule Tester may not be possible for some Service/Access Panel users, making it necessary to use the your browser's Developer Tools to retrieve details. This method can also be used in Identity Panel. Typically launched via the F12 keyboard shortcut all supported browsers will have a Developer Tools offering. Layouts will differ between browsers, the "Console" panel/tab is the required to present the assigned roles.
> access;
The returned payload includes a "Roles" array with the calculated Security Roles for the authenticated in user:
Comments
0 comments
Please sign in to leave a comment.