Attributes

• Overview
• Configuration

Overview

The purpose of the filters in the Attributes filter group is to extract user attributes from various sources. It is possible to retrieve attributes from the message, an LDAP directory, a database, the User Store, HTTP headers, and finally, from a SAML attribute assertion.

Having retrieved a set of user attributes, the Enterprise Gateway then stores them in the attribute.lookup.list message attribute, which is essentially a map of name-value pairs. It is the role of the Attributes authorization filter to check the value of these attributes in order to authorize the user.

Configuration

The following fields are available on the Attributes configuration screen:

Name:
Enter a name for this filter here.

Attributes:
The Attributes table lists the checks that the Enterprise Gateway will perform on user attributes stored in the attribute.lookup.list message attribute. The following points describe how the Enterprise Gateway carries out the checks listed in the table.

• The entries in the table are OR-ed together so that if any one of them succeeds, the filter will return a "pass" result.
• The attribute checks listed in the table will be run in series until one of them passes.
• It is possible to add a number of attribute-value pairs to a single attribute check by separating them with commas, e.g. "company=oracle, department=engineering, role=engineer".
• If multiple attribute-value pairs are present in a given attribute check, these pairs are AND-ed together so that the overall attribute check will only "pass" if all the attribute-value pairs "pass". So, for example, if the attribute check comprises, "department=engineering, role=engineer", this check will only "pass" if both attributes are found with the correct values in the attribute.lookup.list message attribute.

To add an attribute check to the Attributes table, click the Add button. Attributes can then be entered in the Add Attributes dialog.

For attribute checks involving attributes extracted from a SAML attribute assertion, it is necessary to specify the namespace of the attribute as it was given in the assertion. So, for example, the Enterprise Gateway can extract the "role" attribute from the following SAML <Attribute Statement> and store it in the attribute.lookup.list map:

<saml:AttributeStatement>
 <saml:Attribute Name="role" NameFormat="http://www.company.com">
  <saml:AttributeValue>admin</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="email" NameFormat="http://www.company.com">
  <saml:AttributeValue>joe@company.com</saml:AttributeValue>
 </saml:Attribute>
 <saml:Attribute Name="dept" NameFormat="">
  <saml:AttributeValue>engineering</saml:AttributeValue>
 </saml:Attribute> 
</saml:AttributeStatement>
      

The "NameFormat" attribute of the <Attribute> gives the namespace of the attribute name. This namespace must be entered (together with a corresponding prefix) in the Add Attributes dialog.

For example, to extract the "role" attribute from the SAML attribute statement above, you should enter "pre:role=admin" in the Attribute Requirement field. Then you must also map the "pre" prefix to the "http://www.company.com" namespace, as specified by the "NameFormat" attribute in the attribute statement.