Valid user mapping attributes

A list of authenticated user mapping attributes can be used in the mapping rules.

The following table lists the available attributes.

Table 1. Valid user attributes
Attribute	Description
`address`	The address of the client that originates the authentication request.
`qop`	A string that represents the quality-of-protection of the incoming request.
`browser`	An identifier for the browser that originates the request.
`method`	A string that identifies the method that is used to authenticate the user.
`attr:<xxx>`	Any extended attributes that are provided by the authentication mechanism.

If the selected authentication method requires a user name and password, the following extended attributes are available:

Table 2. Extended attributes - user name and password
Attribute	Description
`username`	The name of the user during the authentication.
`password`	The password that is used during the authentication. The value of this attribute is masked in the associated logged output for security reasons.

Note: You can configure an External Authentication Interface (EAI) for WebSEAL authentications. If the EAI returns a username value, you can use the authenticated user mapping function. However, EAIs that return an Extended Privilege Attribute Certificate (EPAC) cannot use this function.

If the selected authentication method requires an SSO token, the following extended attributes are available.

Table 3. Extended attributes - SSO token
Attribute	Description
`query`	The query string from the request.
`referer`	The referer header from the request.
`token_type`	The type of token. The value can be `auth`, `ecc`, `vft`.

If the selected authentication method requires a certificate, the following extended attributes are available.

Table 4. Extended attributes - certificate
Attribute	Description
`x509.base64_certificate`	A base64 encoded representation of the certificate.
`x509.basic_constraints_ca`	The constraints that are associated with the CA who issued the certificate.
`x509.basic_constraints_path_len`	The depth of valid certification paths that include this certificate.
`x509.certificate_policy_id`	An identifier that names the policy that is acceptable to the certificate user.
`x509.crl_distribution_points`	The distribution points for the CRL information.
`x509.der_certificate`	A DER encoded representation of the certificate.
`x509.fingerprint`	The fingerprint that is associated with the certificate.
`x509.fingerprint_algorithm`	The algorithm that is used to generate the fingerprint that is associated with the certificate.
`x509.issuer_cn`	The common name of the issuer of the certificate.
`x509.issuer_country`	The country identifier that is associated with the issuer of the certificate.
`x509.issuer_dn`	The full domain name of the issuer of the certificate.
`x509.issuer_dn_der`	A DER encoded representation of the domain name of the issuer of the certificate.
`x509.issuer_email`	The email address that is associated with the issuer of the certificate.
`x509.issuer_locality`	The locality that is associated with the issuer of the certificate.
`x509.issuer_org`	The name of the organization that is associated with the issuer of the certificate.
`x509.issuer_org_unit`	The name of the organizational unit that is associated with the issuer of the certificate.
`x509.issuer_postal_code`	The postal code of the issuer of the certificate.
`x509.issuer_state`	The name of the state that is provided by the issuer of the certificate.
`x509.issuer_unique_id`	A unique identifier for the issuer of the certificate.
`x509.key_usage`	Defines the purpose of the key that is contained in the certificate.
`x509.public_key`	The public key that is used by the certificate.
`x509.public_key_algorithm`	The key algorithm that is used by the certificate.
`x509.public_key_size`	The size of the public key.
`x509.serial_number`	The serial number that is associated with the certificate.
`x509.signature_algorithm`	The algorithm that is used to generate the certificate signature.
`x509.subject_alternative_dirname`	A directory name that is associated with the subject of the certificate.
`x509.subject_alternative_dnsname`	A DNS name that is associated with the subject of the certificate.
`x509.subject_alternative_email`	The email address that is associated with the subject of the certificate.
`x509.subject_alternative_ipaddr`	The IP address that is associated with the subject of the certificate.
`x509.subject_alternative_uri`	A URI that is associated with the subject of the certificate.
`x509.subject_cn`	The common name of the subject of the certificate.
`x509.subject_country`	The country identifier that is associated with the subject of the certificate.
`x509.subject_dn`	The full domain name of the subject of the certificate.
`x509.subject_dn_der`	A DER encoded representation of the domain name of the subject of the certificate.
`x509.subject_email`	The email address that is associated with the subject of the certificate.
`x509.subject_locality`	The locality that is associated with the subject of the certificate.
`x509.subject_org`	The name of the organization that is associated with the subject of the certificate.
`x509.subject_org_unit`	The name of the organizational unit that is associated with the subject of the certificate.
`x509.subject_postal_code`	The postal code of the subject of the certificate.
`x509.subject_state`	The name of the state that is provided by the subject of the certificate.
`x509.subject_unique_id`	A unique identifier for the subject of the certificate.
`x509.valid_from`	The date from which the certificate is valid. The date is the number of seconds since epoch.
`x509.valid_from_ex`	The date from which the certificate is valid. The date format is `hh:mm:ss dd-mm-yyyy`.
`x509.valid_to`	The date to which the certificate is valid. The date is the number of seconds since epoch.
`x509.valid_to_ex`	The date to which the certificate is valid. The date format is `hh:mm:ss dd-mm-yyyy`.
`x509.version`	The certificate version number.
`x509.ext.xxx`	Each of the attributes that are contained in the x509 certificate extension is included. They are prefixed with the name `x509.ext`.

Notes:

The x509 data, except for the x509 extensions, is included in the constructed XML document only if it is required by the rule. This design decreases the size of the constructed XML document, which improves performance.
All data is XML encoded. Non-printable data is encoded as \xhh;, where hh is the code point in hexadecimal form.

If the selected authentication method is Kerberos authentication, an extended attribute that represents the security identifier (SID) is available in the XML representation of the authentication data. The name of the attribute is attr:<spnego-sid-attr-name>, which corresponds to the spnego-sid-attr-name configuration entry in the [spnego] stanza.