Attributes for extraction

Edit online

WebSEAL can optionally be configured to extract attributes from a failover authentication cookie and place them into a user credential. No attributes are configured for extraction by default.

Attributes to be extracted are declared in the [failover-restore-attributes] stanza in the WebSEAL configuration file. The syntax is:

[failover-restore-attributes]
attribute_pattern = {preserve|refresh}

The value preserve tells WebSEAL to extract the attribute and add it to the credential.

The value refresh tells WebSEAL to ignore the attribute, and not extract it from the cookie.

The attribute_pattern can be either a specific attribute name, or a case-insensitive wildcard expression that matches more than one attribute name. For example, to extract all attributes with the prefix tagvalue_, add the following entry:

[failover-restore-attributes]
tagvalue_* = preserve

Attributes that do not match any patterns specified with the preserve value are not extracted from the failover authentication cookie.

The order of the stanza entries is important. Rules that appear earlier in [failover-restore-attributes] take priority over those placed later in the stanza.

The following attributes cannot be matched by a wildcard pattern, but must be explicitly defined for extraction:

Authentication level

[failover-restore-attributes]
AUTHENTICATION_LEVEL = preserve

Session lifetime timestamp

[failover-restore-attributes]
session-lifetime-timestamp = preserve

Session activity timestamp

[failover-restore-attributes]
session-activity-timestamp = preserve