Web agents in Policy Agent 3.0 support a feature where a user's session attributes are fetched and set as headers or cookies.
Session attributes are especially effective for transferring information that is dynamic. However, the information transferred only lasts during the current session.
Unlike profile attributes, session attributes are not limited to LDAP attributes retrieved from the user data store. Since session attributes allow non-user profile attributes to be fetched, you can configure the deployment to fetch attributes such as SAML assertion.
The following are examples of session attributes: UserToken, UserId, Principal, AuthType, AuthLevel, sun.am.UniversalIdentifier, MyProperty
A good use case for fetching user session attributes presents itself when a post authentication plug-in is involved. A post authentication plug-in performs some tasks right after user authentication. You can configure a post authentication plug-in to fetch data from an external data repository and then set this data as session attributes for that user. These session attributes can be retrieved by the web container and made available to the application.
The web agent property labeled Session Attribute Fetch Mode (Tab: Application, Name: com.sun.identity.agents.config.session.attribute.fetch.mode) is responsible for fetching session attributes. This property can be configured using OpenSSO Enterprise Console and can be set to one of the following values:
When set to NONE, no session attributes are fetched and the property labeled Session Attribute Map (Tab: Application, Name: com.sun.identity.agents.config.session.attribute.mapping) is ignored.
With the Session Attribute Fetch Mode property set to either HTTP_HEADER or HTTP_COOKIE, the web agent fetches session attributes. Use the Session Attribute Map property to configure attributes that are to be forwarded as HTTP headers or cookies.
This section illustrates how the Session Attribute Fetch Mode property maps session attributes to headers or cookies.
Session attributes are added to an HTTP header following this format:
The value of the attribute being fetched in session is session_attribute_name. This value gets mapped to a header value as follows: http_header_name.
In most cases, in a destination application where http_header_name appears as a request header, it is prefixed with HTTP_ and the following type of conversion takes place:
convert to upper case letters.
converts to underscore “_”
as an example, converts to “HTTP_COMMON_NAME.”
Therefore, the Session Attribute Map property would have the following value:
successURL | success-url, contextId | context-id
The session attribute is forwarded as a header or a cookie as determined by the end-user applications on the web container that the web agent is protecting. These applications can be considered the consumers of the forwarded header values. The forwarded information is used for the customization and personalization of web pages. You can also write server side plug-ins to put any user session attribute and define the corresponding attribute name and mapping in the preceding property to retrieve the value.