User mapping rules evaluator

The user mapping rules evaluator evaluates user mapping rules in the constraints that are required by the user mapping engine. A configuration file that you specify supplies the pre-configured rules to the authenticated user mapping module.

The user mapping rules evaluator sends the rule policy with the XML representation of the authentication request to the XSL processor for evaluation.

The input for the transformation is the XML version of the authentication request. XSL transformation rules decide how the Security Verify Access user name is mapped from the supplied user attributes information. Two inputs are used for decision making:

• The XML representation of the authentication request.
• The XSL rule, which determines how the XML is interpreted.

The output from the decision determines the Security Verify Access user identity and attributes.

XML Element	Description	Example
<identity>	Contains the new user identity. The original user identity, as determined by the authentication module, is used if no identity container is provided. If an identity container is provided but the identity cannot be determined, it is an authentication error. An example of this situation is a failed LDAP search.	<identity>cn=testuser,o=ibm,c=us</identity>
<attribute>	Contains the name and value of an attribute that is added to the constructed credential. We can supply multiple attributes in the response. Use a unique name for each attribute to add to the user credential. If we add more than one attribute with the same name in the XSLT rules, only one of the attributes with that name is added to the user credential.	<attribute name=qop>test-qop</attribute>

The value for the identity or attribute can either be a static string or an LDAP search query. The LDAP search query uses the following format:

<userreg base='%base%' attr='%name%'>%ldap-search-filter%</userreg>

• Format and constraints of rules
  Define an authenticated user mapping rule as an XSL template in an XSL style sheet.
• Sample user mapping rule
  This example XSLT rule sets a new user identity that is derived from an LDAP search and two new attributes.
• Troubleshooting user mapping rule problems
  An error in the XSLT rule might cause the authentication to fail. The following table details some of the common problems in the XSLT rules and the corresponding failure scenarios.

Parent topic: Authenticated User Mapping