Valid user mapping attributes

Valid user mapping attributes

A list of authenticated user mapping attributes can be used in the mapping rules.
The following table lists the available attributes.

Attribute Description

address The address of the client that originates the authentication request.

qop A string representing the quality-of-protection of the incoming request.

browser An identifier for the browser that originates the request.

method A string that identifies the method used to authenticate the user.

attr:<xxx> Any extended attributes that are provided by the authentication mechanism.

If the selected authentication method requires a user name and password, the following extended attributes are available:

Attribute Description

username The name of the user during the authentication.

password The password used during the authentication. The value of this attribute is masked in the associated logged output for security reasons.

We can configure an External Authentication Interface (EAI) for WebSEAL authentications. If the EAI returns a username value, we can use the authenticated user mapping function. However, EAIs that return an Extended Privilege Attribute Certificate (EPAC) cannot use this function.
If the selected authentication method requires an SSO token, the following extended attributes are available.

Attribute Description

query The query string from the request.

referer The referer header from the request.

token_type The type of token. The value can be auth, ecc, vft.

If the selected authentication method requires a certificate, the following extended attributes are available.

Attribute Description

x509.base64_certificate A base64 encoded representation of the certificate.

x509.basic_constraints_ca The constraints associated with the CA who issued the certificate.

x509.basic_constraints_path_len The depth of valid certification paths that include this certificate.

x509.certificate_policy_id An identifier that names the policy that is acceptable to the certificate user.

x509.crl_distribution_points The distribution points for the CRL information.

x509.der_certificate A DER encoded representation of the certificate.

x509.fingerprint The fingerprint associated with the certificate.

x509.fingerprint_algorithm The algorithm used to generate the fingerprint associated with the certificate.

x509.issuer_cn The common name of the issuer of the certificate.

x509.issuer_country The country identifier associated with the issuer of the certificate.

x509.issuer_dn The full domain name of the issuer of the certificate.

x509.issuer_dn_der A DER encoded representation of the domain name of the issuer of the certificate.

x509.issuer_email The email address associated with the issuer of the certificate.

x509.issuer_locality The locality associated with the issuer of the certificate.

x509.issuer_org The name of the organization associated with the issuer of the certificate.

x509.issuer_org_unit The name of the organizational unit associated with the issuer of the certificate.

x509.issuer_postal_code The postal code of the issuer of the certificate.

x509.issuer_state The name of the state provided by the issuer of the certificate.

x509.issuer_unique_id A unique identifier for the issuer of the certificate.

x509.key_usage Define the purpose of the key that is contained in the certificate.

x509.public_key The public key used by the certificate.

x509.public_key_algorithm The key algorithm used by the certificate.

x509.public_key_size The size of the public key.

x509.serial_number The serial number associated with the certificate.

x509.signature_algorithm The algorithm used to generate the certificate signature.

x509.subject_alternative_dirname A directory name associated with the subject of the certificate.

x509.subject_alternative_dnsname A DNS name associated with the subject of the certificate.

x509.subject_alternative_email The email address associated with the subject of the certificate.

x509.subject_alternative_ipaddr The IP address associated with the subject of the certificate.

x509.subject_alternative_uri A URI associated with the subject of the certificate.

x509.subject_cn The common name of the subject of the certificate.

x509.subject_country The country identifier associated with the subject of the certificate.

x509.subject_dn The full domain name of the subject of the certificate.

x509.subject_dn_der A DER encoded representation of the domain name of the subject of the certificate.

x509.subject_email The email address associated with the subject of the certificate.

x509.subject_locality The locality associated with the subject of the certificate.

x509.subject_org The name of the organization associated with the subject of the certificate.

x509.subject_org_unit The name of the organizational unit associated with the subject of the certificate.

x509.subject_postal_code The postal code of the subject of the certificate.

x509.subject_state The name of the state provided by the subject of the certificate.

x509.subject_unique_id A unique identifier for the subject of the certificate.

x509.valid_from The date from which the certificate is valid. The date is the number of seconds since epoch.

x509.valid_from_ex The date from which the certificate is valid. The date format is hh:mm:ss dd-mm-yyyy.

x509.valid_to The date to which the certificate is valid. The date is the number of seconds since epoch.

x509.valid_to_ex The date to which the certificate is valid. The date format is hh:mm:ss dd-mm-yyyy.

x509.version The certificate version number.

x509.ext.xxx Each of the attributes contained in the x509 certificate extension is included. They are prefixed with the name x509.ext.

Notes:

The x509 data, except for the x509 extensions, is included in the constructed XML document only if it is required by the rule. This design decreases the size of the constructed XML document, which improves performance.
All data is XML encoded. Non-printable data is encoded as \xhh;, where hh is the code point in hexadecimal form.

If the selected authentication method is Kerberos authentication, an extended attribute representing the security identifier (SID) is available in the XML representation of the authentication data. The name of the attribute is attr:<spnego-sid-attr-name>, which corresponds to the spnego-sid-attr-name configuration entry in the [spnego] stanza.
Parent topic: Authenticated User Mapping

Attribute	Description
address	The address of the client that originates the authentication request.
qop	A string representing the quality-of-protection of the incoming request.
browser	An identifier for the browser that originates the request.
method	A string that identifies the method used to authenticate the user.
attr:<xxx>	Any extended attributes that are provided by the authentication mechanism.

Attribute	Description
username	The name of the user during the authentication.
password	The password used during the authentication. The value of this attribute is masked in the associated logged output for security reasons.

Attribute	Description
query	The query string from the request.
referer	The referer header from the request.
token_type	The type of token. The value can be auth, ecc, vft.

Attribute	Description
x509.base64_certificate	A base64 encoded representation of the certificate.
x509.basic_constraints_ca	The constraints associated with the CA who issued the certificate.
x509.basic_constraints_path_len	The depth of valid certification paths that include this certificate.
x509.certificate_policy_id	An identifier that names the policy that is acceptable to the certificate user.
x509.crl_distribution_points	The distribution points for the CRL information.
x509.der_certificate	A DER encoded representation of the certificate.
x509.fingerprint	The fingerprint associated with the certificate.
x509.fingerprint_algorithm	The algorithm used to generate the fingerprint associated with the certificate.
x509.issuer_cn	The common name of the issuer of the certificate.
x509.issuer_country	The country identifier associated with the issuer of the certificate.
x509.issuer_dn	The full domain name of the issuer of the certificate.
x509.issuer_dn_der	A DER encoded representation of the domain name of the issuer of the certificate.
x509.issuer_email	The email address associated with the issuer of the certificate.
x509.issuer_locality	The locality associated with the issuer of the certificate.
x509.issuer_org	The name of the organization associated with the issuer of the certificate.
x509.issuer_org_unit	The name of the organizational unit associated with the issuer of the certificate.
x509.issuer_postal_code	The postal code of the issuer of the certificate.
x509.issuer_state	The name of the state provided by the issuer of the certificate.
x509.issuer_unique_id	A unique identifier for the issuer of the certificate.
x509.key_usage	Define the purpose of the key that is contained in the certificate.
x509.public_key	The public key used by the certificate.
x509.public_key_algorithm	The key algorithm used by the certificate.
x509.public_key_size	The size of the public key.
x509.serial_number	The serial number associated with the certificate.
x509.signature_algorithm	The algorithm used to generate the certificate signature.
x509.subject_alternative_dirname	A directory name associated with the subject of the certificate.
x509.subject_alternative_dnsname	A DNS name associated with the subject of the certificate.
x509.subject_alternative_email	The email address associated with the subject of the certificate.
x509.subject_alternative_ipaddr	The IP address associated with the subject of the certificate.
x509.subject_alternative_uri	A URI associated with the subject of the certificate.
x509.subject_cn	The common name of the subject of the certificate.
x509.subject_country	The country identifier associated with the subject of the certificate.
x509.subject_dn	The full domain name of the subject of the certificate.
x509.subject_dn_der	A DER encoded representation of the domain name of the subject of the certificate.
x509.subject_email	The email address associated with the subject of the certificate.
x509.subject_locality	The locality associated with the subject of the certificate.
x509.subject_org	The name of the organization associated with the subject of the certificate.
x509.subject_org_unit	The name of the organizational unit associated with the subject of the certificate.
x509.subject_postal_code	The postal code of the subject of the certificate.
x509.subject_state	The name of the state provided by the subject of the certificate.
x509.subject_unique_id	A unique identifier for the subject of the certificate.
x509.valid_from	The date from which the certificate is valid. The date is the number of seconds since epoch.
x509.valid_from_ex	The date from which the certificate is valid. The date format is hh:mm:ss dd-mm-yyyy.
x509.valid_to	The date to which the certificate is valid. The date is the number of seconds since epoch.
x509.valid_to_ex	The date to which the certificate is valid. The date format is hh:mm:ss dd-mm-yyyy.
x509.version	The certificate version number.
x509.ext.xxx	Each of the attributes contained in the x509 certificate extension is included. They are prefixed with the name x509.ext.