Skip to content

feat: DSPX-2416 add subject mapping guide #182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
marythought wants to merge 17 commits into
base: main
Choose a base branch
from
Open

feat: DSPX-2416 add subject mapping guide #182

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
f2bd649
feat: DSPX-2416 add subject mapping deep dive to new Guides section
marythought Feb 9, 2026
58336cf
code review
marythought Feb 9, 2026
84e313d
fix vale ci issues
marythought Feb 9, 2026
b428af7
go back to previous example
marythought Feb 9, 2026
5526bf0
updates to agents file
marythought Feb 10, 2026
13761c3
npm run update-vendored-yaml
marythought Feb 18, 2026
231aacd
Merge branch 'main' into feat/dspx-2416
jp-ayyappan Feb 20, 2026
6e98175
Merge branch 'main' into feat/dspx-2416
marythought Feb 20, 2026
80297e9
Merge branch 'main' into feat/dspx-2416
marythought Feb 20, 2026
7e17278
Merge branch 'main' into feat/dspx-2416
marythought Feb 24, 2026
930f394
fix(subject-mapping-guide): address code review — correct hallucinate…
marythought Feb 24, 2026
d06dc61
docs(subject-mapping-guide): add content from community discussions #…
marythought Feb 24, 2026
aa8fe58
fix(subject-mapping-guide): use [] selector for array claims, explain…
marythought Feb 24, 2026
47f6ae8
fix(vale): repair broken regex patterns and add missing vocab terms
marythought Feb 24, 2026
d688d4d
docs(subject-mapping-guide): improve architecture section readability…
marythought Feb 24, 2026
a5f49db
docs(subject-mapping-guide): improve step-by-step UX — explain operat…
marythought Feb 25, 2026
7bef8ce
docs(subject-mapping-guide): address step-by-step UX friction points
marythought Feb 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions .github/vale-styles/config/Vocab/Opentdf/accept.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
Docusaurus
[Oo]tdfctl
API
(?i:tdf)
[Nn]amespace
Keycloak
Virtru
SDK
IdP
NPE
PE
FQN
JWT
proto
Postgres
ECDSA
[Nn]ano
Podman
assertation
[Dd]issem
JavaScript
Autoconfigure
requester('s)?
rewraps?
CI
[Ss]hellcheck
Okta
9 changes: 6 additions & 3 deletions .github/vale-styles/config/vocabularies/Opentdf/accept.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Docusaurus
[Oo]tdfctl
API
(?i)tdf
(?i:tdf)
[Nn]amespace
Keycloak
Virtru
Expand All @@ -20,5 +20,8 @@ assertation
[Dd]issem
JavaScript
Autoconfigure
requester(?('s))
rewrap(?(s))
requester('s)?
rewraps?
CI
[Ss]hellcheck
Okta
20 changes: 17 additions & 3 deletions AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,13 @@
- `npm run check-vendored-yaml`: Verify vendored OpenAPI YAML matches upstream.
- `npm run update-vendored-yaml`: Refresh vendored specs in `specs/` from upstream.

Preview deployment:
- Deploy to preview using pattern: `surge build opentdf-docs-preview-<ticket>.surge.sh`
- Extract ticket number from branch name (e.g., branch `feat/dspx-2416` → `opentdf-docs-preview-dspx-2416.surge.sh`)

Docs-only checks:
- `vale sync`: Install Vale styles configured in `.vale.ini`.
- `git diff --name-only | xargs vale --glob='!blog/*'`: Lint changed docs (matches CI’s “added lines behavior closely).
- `git diff --name-only | xargs vale --glob='!blog/*'`: Lint changed docs (matches CI's "added lines" behavior closely).

## Coding Style & Naming Conventions

Expand All @@ -30,8 +34,18 @@ Docs-only checks:

## Testing Guidelines

- There is no dedicated unit test runner; CI primarily validates `npm run build` and Vale.
- If you touch `docs/getting-started/` Docker Compose instructions, sanity-check them locally when feasible.
CI runs the following tests:

- **BATS tests**: Shell script tests in `tests/quickstart.bats` validate quickstart scripts on Ubuntu, macOS, and Windows
- **Shellcheck**: Lints shell scripts in `static/quickstart/` (check.sh, install.sh)
- **Docker Compose stack test**: Verifies the platform starts successfully on Ubuntu (triggered by changes to `docs/getting-started/`, `static/quickstart/`, or `tests/`)
- **Build validation**: `npm run build` must complete successfully
- **Vale linting**: Documentation prose style checks (run locally with `git diff --name-only | xargs vale --glob='!blog/*'`)

If you modify quickstart scripts or Docker Compose instructions:
- Run shellcheck locally: `shellcheck static/quickstart/check.sh static/quickstart/install.sh`
- Run BATS tests if available: `bats tests/quickstart.bats`
- Test the Docker Compose stack if feasible: Follow steps in `docs/getting-started/quickstart.mdx`

## Commit & Pull Request Guidelines

Expand Down
14 changes: 14 additions & 0 deletions docs/components/policy/subject_mappings.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,19 @@
# Subject Mappings

:::tip New to Subject Mappings?
Copy link
Contributor

@jakedoublev jakedoublev Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure the best way to do this, but we will want to make it clearer that Subject Mappings are actually logically checking the Entity Resolution Service response (entity representation). The source of truth for the ERS to build an entity representation can be:

  1. access token claims (the actual JWT)
  2. idP user info (keycloak, okta, etc)
  3. LDAP (active directory, etc)
  4. SQL (a relational database)

The multi-strategy ERS still in experimental status, but there is a need to productionize it to support entity attributes from diverse sources. Mature organizations keep user/entity information across several kinds of systems, and as a platform we should support these.

Practically that means a subject mapping relating a condition set to an attribute value where the condition set finds jake@acme.org IN .emailAddress, depending on the ERS running with the platform and its mode, that could be:

  1. a JWT payload claim emailAddress in my access token
  2. an attribute in my idP emailAddress
  3. a directory attribute emailAddress in my LDAP system
  4. a column value in my row in a SQL-compatible database, where a query results in a JSON object with a key emailAddress

TLDR: we should find a clear way to communicate that entity attributes are stored in diverse systems, organized/resolved by ERS, conditionally resolved to platform Attribute Values via Subject Mappings with Subject Condition Sets.

Copy link
Contributor Author

@marythought marythought Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in commit 930f394 — added a :::note block immediately after the :::tip in subject_mappings.md that explains:

  • Subject Mappings evaluate against the Entity Representation produced by ERS, not directly against IdP tokens
  • Lists the four sources (JWT claims, IdP user info, LDAP/AD, SQL) explicitly
  • Notes that the same .emailAddress selector works regardless of which source ERS resolves it from
  • Links to the Entity Resolution docs for multi-source ERS details
  • Added a note that multi-source support is available (left the experimental status callout to the ERS docs page rather than flagging it as experimental here, since that status may change)

For a comprehensive tutorial with IdP integration examples, troubleshooting, and step-by-step guides, see the [Subject Mapping Comprehensive Guide](/guides/subject-mapping-guide).
:::

:::note Entity attributes come from the Entity Resolution Service (ERS)
Subject Mappings evaluate conditions against the **Entity Representation** produced by the Entity Resolution Service — not directly against IdP tokens. Depending on ERS configuration, entity attributes may come from:
- Access token claims (JWT)
- IdP user info (e.g., Keycloak, Okta)
- LDAP / Active Directory
- SQL databases

This means a Subject Condition Set matching `.emailAddress` will work regardless of whether that attribute comes from a JWT claim, an LDAP directory entry, or a SQL row — as long as ERS resolves it into the entity representation. Multi-source ERS support is available; see the [Entity Resolution](/components/entity_resolution) documentation.
:::

As data is bound to fully qualified Attribute Values when encrypted within a TDF, entities are associated with Attribute values through a mechanism called Subject Mappings.

Entities (subjects, users, machines, etc.) are represented by their identity as determined from an identity provider (IdP). After an entity has securely authenticated with the IdP, the client's token (OIDC/OAUTH2) will include claims or attributes that describe that identity. Subject Mappings define how to map these identity attributes to actions on attribute values defined in the OpenTDF platform Policy. For more details on how the platform integrates with the IdP and how entities are resolved, refer to the [Authorization documentation](../authorization).
Expand Down
8 changes: 8 additions & 0 deletions docs/guides/_category_.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"label": "Guides",
"position": 3,
"link": {
"type": "generated-index",
"description": "Comprehensive guides and tutorials for implementing OpenTDF features."
}
}
Loading