Mechanisms for adding registry attributes to a credential
We can configure an external service to add attributes to a user credential.
The WebSEAL authentication process accesses the ISAM user registry and builds a credential for the user. The credential contains user information needed to make access decisions such as the user name and the list of groups to which the user belongs.
WebSEAL supports several different mechanisms (services) that allow administrators and application developers to extend the authentication process. When WebSEAL conducts the authentication process, it checks to see if any external services have been implemented and configured. When they have, WebSEAL calls those services. The services can do their own processing to build a list of extended attributes about the user identity. These extended attributes are added to the user credential.
The following service is supported:
- Registry attribute entitlement service
This entitlement service is built-in to ISAM by default. This service is an implementation of a class of ISAM entitlement services known as credential attribute entitlement services. The registry attribute entitlement service obtains specified user information from a user registry (such as an LDAP user registry) and inserts the data into an attribute list in the user credential. This built-in registry attribute entitlement service is a generic entitlement service that can be used by many resource managers. This service takes the place of a previous method that required administrators to add "tag/value" entries to the [ldap-ext-creds-tag] stanza in the pd.conf configuration file. For configuration information, see Configure a registry attribute entitlement service. Note that ISAM provides additional built-in entitlement services that can be used to add additional information. These additional services, however, obtain the additional information from sources other than user registry entries. For example, the extended attribute entitlement service obtains information from ACLs and POPs in the protected resource object space. For information about entitlement services, see the IBM Knowledge Center.
Parent topic: Extended attributes for credentials