Extended attributes to extract from token

In the WebSEAL configuration file, we can specify how the token consume module handles extended attributes that have been added to an e-community single sign-on token.

The attributes can either be extracted or ignored. In some cases, we must extract the attributes because there is no way for a server in the destination domain to generate them. In other cases, we do not want to extract the tokens, because the server in the destination domain can use an independent process to gather the same extended attributes. For example, the attribute could reflect a timestamp that needs to reflect the system time on the destination server.

In the built-in token consume module, attributes that are extracted from the token are passed through to the cross-domain mapping framework library. The default cross-domain mapping framework library passes attributes directly through to the user credential. Customized cross-domain mapping framework libraries can manipulate attributes as needed before passing them to the user credential.

The syntax for the entries is as follows:

Typically, the names of the extended attributes (attribute_pattern) match the names of the attributes specified in the [ecsso-token-attributes] stanza of the configuration file for a WebSEAL server that generates the tokens. The value must be one of the following keywords:

Extended attributes in the token that do not match an entry in [ecsso-incoming-attributes] are preserved (extracted).

The order of the entries in the stanza is important. The first entry matching an attribute name is used. Other entries are ignored. For example, to extract the attribute named my_special_attr1 but want to ignore all other entries with the prefix my_special_attr_, the stanza entries should be:

Use the examples shown above in Extended attributes to add to token, the entries in the WebSEAL configuration file for a server that operates in the example2.com domain could be:

In this example, the attributes job_category and my_cdas_attr_1 are extracted from the token. The remainder of the attributes with the prefix my_cdas_attr_ are ignored.

Parent topic: Extended attributes for ECSSO