Extended attributes to extract from a token in IBM Security Verify Access for Web

Extended attributes to extract from a token

In the WebSEAL configuration file, we can specify how the token consume module handles extended attributes that have been added to a cross-domain single sign-on token.
The attributes can be either extracted or ignored. In some cases, we must extract the attributes because there is no way for a server in the destination domain to generate them. In other cases, we do not want to extract the tokens, because the server in the destination domain can use an independent process to gather the same extended attributes. For example, the attribute can reflect a timestamp that needs to reflect the system time on the destination server.
In the token consume module, attributes that are extracted from the token are passed through to the cross-domain mapping framework module. The default cross-domain mapping framework module passes attributes directly through to the user credential. Customized cross-domain mapping framework modules can manipulate attributes as needed before passing them to the user credential.
The syntax for the entries is as follows:
[cdsso-incoming-attributes] attribute_pattern = {preserve|refresh}

Typically, the names of the extended attributes (attribute_pattern) match the names of the attributes specified in the [cdsso-token-attributes] stanza of the configuration file for a WebSEAL server that generates the tokens. The value must be one of the following keywords:
preserve
Extract all attributes that match attribute_pattern.
refresh
Do not extract attributes that match attribute_pattern.

Extended attributes in the token that do not match an entry in [cdsso-incoming-attributes] are preserved (extracted).
The order of the entries in the stanza is important. The first entry matching an attribute name is used. Other entries are ignored. For example, to extract the attribute named my_special_attr1 but want to ignore all other entries with the prefix my_special_attr_, the stanza entries should be:
[cdsso-incoming-attributes] my_special_attr1 = preserve my_special_attr_* = refresh

Use the examples shown above in Extended attributes to add to token, the entries in the WebSEAL configuration file for a server that operates in the example2.com domain could be:
[cdsso-incoming-attributes] job_category = preserve my_cdas_attr_1 = preserve my_cdas_attr_* = refresh

In this example, the attributes job_category and my_cdas_attr_1 are extracted from the token. The remainder of the attributes with the prefix my_cdas_attr_ are ignored.
Parent topic: Extended attributes for CDSSO