NAM User Attribute Retrieval from REST Endpoint and Transformation into Virtual Attribute



Access Manager can retrieve an attribute from an external resource and transform it before using this value with assertion and access policies. This feature supports user attribute modifications like transform value to uppercase etc., In some of the cases, the user information needs to be retrieved from a third party server from REST endpoint. This case NAM doesn’t support REST endpoint as data source. To overcome this we have to call the REST endpoint from JavaScript. The following solution provides details about how to call REST endpoint and shows how to do complex attribute modification using Java within JavaScript.


Java 8 comes with Nashhorn JavaScript Engine. Nashhorn JavaScript Engine runs JavaScript code natively on the JVM. Create utility methods in Java and call those Java functions from JavaScript.

Java class used with virtual attribute JavaScript, should implement static methods. Static methods are easy to call from the JavaScript. Example Java class:

package testwebproj;



public class BeanCls {
public static String fun1(String name) {
/*String https_url = "";
URL url;
try {

url = new URL(https_url);
HttpsURLConnection con = (HttpsURLConnection)url.openConnection();

System.out.println("****** Content read from the URL ********");
BufferedReader br =
new BufferedReader(
new InputStreamReader(con.getInputStream()));

String input;

while ((input = br.readLine()) != null){

} catch (MalformedURLException e) {
} catch (IOException e) {
System.out.format("Hi there from Java, %s ** ", name);
return "greetings from java, " name;

Above bean class implements static method “fun1”. Parameters can be passed from JavaScript and object can be returned to JavaScript method from where this Java method is invoked. The below example shows how to invoke “BeanCls” from JavaScript.

var MyJavaClass = Java.type('testwebproj.BeanCls');
var result = MyJavaClass.fun1('John Doe'); // java method return value

One can write their own Java utility method to call REST endpoint and return the value to be used as virtual attribute value.

Configuration Steps:

  1. Create Java utility class with static method. (example Java class is above in this page)
  2. Make jar of utility class and copy jar to IDP /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib or copy classes with package structure to IDP’s NIDP webapp classes folder.
  3. Restart IDP (/etc/init.d/novell-idp restart)
  4. Login to admin console
  5. Click on IDP clusters --> shared settings
  6. Select virtual attributes
  7. Click ‘ ’ to add new virtual attribute


  8. Give name and description to virtual attribute
  9. Go to Step 2 and select “Advanced: Javascript" provide script ‘function main()’ as default method and call your custom JavaScript method to your requirements. Example below:
    function main(){
    return mapGroups();

    function mapGroups(){
    var MyJavaClass = Java.type('testwebproj.BeanCls');
    var result = MyJavaClass.fun1('John Doe');
    return "**" result;


  10. Note: Test will fail as class not found, ignore this error or copy your utility class jar to admin console under nps project.
  11. Click ok and update IDP
  12. Now virtual attribute is read to use. Utility java class can read REST endpoint and returns required value.
  13. Virtual attribute can be configured as part of access policy or add to attribute set and send with assertion.
    Access policy example: II policy injects virtual attribute to custom header.




How To-Best Practice
Comment List