Using the Advanced Claim to Group mapper or the Advanced Attribute to Group mapper

Ops Center Installation and Configuration Guide
Version
11.0.x
Audience
anonymous
Part Number
MK-99OPS001-25
By using the Advanced Claim to Group mapper or the Advanced Attribute to Group mapper, you can automatically map users authorized by an identity provider other than AD FS to user groups based on the specified conditions. You can use these mappers, for example, to limit users who can log in to Hitachi Ops Center or to assign administrator privileges to a specific user.

These group mappers perform mapping based on user information provided by the identity provider. Specifically, a Key and Value pair is used to specify a condition, as indicated in the following procedure. Multiple conditions can be specified.

  • When configuring a link by using the OIDC protocol: For Key, specify the Claim of the ID token. For Value, specify the value of Claim.
  • When configuring a link by using the SAML protocol: For Key, specify the assertion attribute. For Value, specify the attribute value.
  1. Log in to the Hitachi Ops Center Portal as the sysadmin user or as a user who belongs to the opscenter-administrators group.
  2. From the navigation bar, click Manage users.
  3. In the Users window, from the Asset type, click Identity providers (Other).
  4. In the Identity providers (Other) window, click Embedded Keycloak.
  5. Log in to Keycloak as the idpadmin user.
  6. In the Identity providers window, click the registered identity provider.
  7. In the Provider details window, click the Mappers tab.
  8. Click Add mapper and specify the following items in the Add Identity Provider Mapper window:

    • When configuring a link by using the OIDC protocol

      Item Value to be specified Example of value to be specified
      Name Any Name Advanced-Claim-to-Group-mapper
      Sync mode override Value that can be selected from the list Force
      Mapper type Advanced Claim to Group Advanced Claim to Group
      Claims - Key Key of the identity provider Claim equivalent to a group

      The OIDC protocol does not support Claim indicating a group by default. You must specify Claim specific to the identity provider.
      Claims - Value A value that corresponds to Key Storage Administrators
      Regex Claim Values On (if a regular expression is used for Claims - Value), Off (if no regular expression is used) Off
      Group Name of the Common Services user group to which the user is assigned opscenter-administrators

    • When configuring a link by using the SAML protocol

      Item Value to be specified Example of value to be specified
      Name Any Name Advanced-Attribute-to-Group-mapper
      Sync mode override Value that can be selected from the list Force
      Mapper type Advanced Attribute to Group Advanced Attribute to Group
      Attributes - Key Key of the identity provider http://schemas.xmlsoap.org/claims/Group
      Attributes - Value A value that corresponds to Key Storage Administrators
      Regex Attribute Values On (if a regular expression is used for Attributes - Value), Off (if no regular expression is used) Off
      Group Name of the Common Services user group to which the user is assigned opscenter-administrators
  9. After configuration is complete, click Save.