Extended attributes to add to token
In the WebSEAL configuration file, we can specify extended attributes from a user credential to add to the cross-domain single signon token. Extended attributes consist of information about a user identity that is added to an extended attribute list when a user credential is created. Extended attributes can be added by a number of authentication mechanisms, including external authentication C API services. The external authentication C API modules can be used, for example, to obtain user information from a registry that is external to ISAM.
We can use this setting to customize the contents of the e-community single signon token. This feature enables us to tailor the token contents to match the needs of the destination domain. When We use this feature to add an attribute to a token, also configure the WebSEAL configuration file for the server in the destination domain. For the destination server, the stanza [ecsso-incoming-attributes] is used to specify the handling (extract or ignore) of each attribute.
We can specify extended attributes by name, or we can declare a pattern matching multiple attribute names. We can use standard Security Verify Access wildcard-matching characters. For a list of supported wildcard pattern matching characters, see Supported wildcard pattern matching characters.
Each entry is assigned the name of the domain for which the token is intended. We can include multiple entries specifying names or patterns for each domain.
The syntax is:
[ecsso-token-attributes] domain_name = pattern1 domain_name = pattern2 ... domain_name = patternN <default> = pattern1 <default> = pattern2 ... <default> = patternN
The <default> entry is optional. When WebSEAL does not find an entry matching the domain name, WebSEAL looks for a <default> entry. If the configuration file contains a <default> entry, WebSEAL uses the assigned attribute patterns for the current domain. The string <default> is a keyword, and must be specified exactly as shown above, including the < and > characters.
Example: You are creating an e-community single signon solution between two domains: example1.com and example2.com. Users log in to example1.com but can get redirected to example2.com during the user session. Your deployment includes a customized external authentication C API module that inserts information into each user credential. The information includes a fixed name attribute "job_category" and a variable number of attributes, each prefixed with the characters "my_ext_attr_". This information needs to be added to the cross-domain token. The configuration file entries would be:
example2.com = job_category example2.com = my_ext_attr_*
Parent topic: Extended attributes for ECSSO