The following fields are available on the Attributes
configuration screen:
Name:
Enter a name for this filter here.
Attributes:
The Attributes table lists the checks that the
Enterprise Gateway will perform on user attributes stored in the
attribute.lookup.list message attribute. The
following points describe how the Enterprise Gateway carries out the checks
listed in the table.
-
The entries in the table are OR-ed together so that if any one of
them succeeds, the filter will return a "pass" result.
-
The attribute checks listed in the table will be run in series
until one of them passes.
-
It is possible to add a number of attribute-value pairs to a single
attribute check by separating them with commas, e.g.
"company=oracle, department=engineering, role=engineer".
-
If multiple attribute-value pairs are present in a given attribute
check, these pairs are AND-ed together so that the overall
attribute check will only "pass" if all the attribute-value pairs
"pass". So, for example, if the attribute check comprises,
"department=engineering, role=engineer", this check will only
"pass" if both attributes are found with the correct values in the
attribute.lookup.list message attribute.
To add an attribute check to the Attributes table,
click the Add button. Attributes can then be entered
in the Add Attributes dialog.
For attribute checks involving attributes extracted from a SAML attribute
assertion, it is necessary to specify the namespace of the attribute as
it was given in the assertion. So, for example, the Enterprise Gateway can
extract the "role" attribute from the following SAML
<Attribute Statement> and store it in the
attribute.lookup.list map:
| | |
|
<saml:AttributeStatement>
<saml:Attribute Name="role" NameFormat="http://www.company.com">
<saml:AttributeValue>admin</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="email" NameFormat="http://www.company.com">
<saml:AttributeValue>joe@company.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="dept" NameFormat="">
<saml:AttributeValue>engineering</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
| |
| | |
|
The "NameFormat" attribute of the <Attribute>
gives the namespace of the attribute name. This namespace must be
entered (together with a corresponding prefix) in the
Add Attributes dialog.
For example, to extract the "role" attribute from the SAML attribute
statement above, you should enter "pre:role=admin" in the
Attribute Requirement field. Then you must also map
the "pre" prefix to the "http://www.company.com" namespace, as specified
by the "NameFormat" attribute in the attribute statement.
|