Examples of user mapping rules
This section provides two examples of output XSLT evaluation, first using a free format text string and then searching the user registry for the user DN.
In the first example, the rule works on a string from the client certificate: if the string matches then it selects the Distinguished Name (DN) from the client certificate.
- Rule:
-
<!-- Test a valid 'free format' string. --> <xsl:when test='stsuuser:Attribute[@name="SubjectDN"] /stsuuser:Value = "cn=testuser,o=ibm,c=au"'> !<xsl:value-of select="stsuuser:Attribute[@name='SubjectDN']/ stsuuser:Value"/>! </xsl:when> - Details from Client Certificate:
-
<stsuuser:STSUniversalUser xmlns:stsuuser= "urn:ibm:names:ITFIM:1.0:stsuuser"> <stsuuser:Principal> <stsuuser:Attribute name="name"> <stsuuser:Value> CN=testuser,O=ibm,C=au </stsuuser:Value> </stsuuser:Attribute> </stsuuser:Principal> <stsuuser:AttributeList> <stsuuser:Attribute name="SubjectDN" type= "urn:ibm:security:gskit"> <stsuuser:Value>CN=testuser,O=ibm,C=au</stsuuser:Value> </stsuuser:Attribute> ... </stsuuser:AttributeList> </stsuuser:STSUniversalUser> - String returned by CDAS:
-
CN=testuser,O=ibm,C=au
In the second example, the rule searches the user registry for an attribute and returns the user Common Name (CN) from the registry. In this case the search of the registry is on the e-mail address from the client certificate.
- Rule:
-
<!-- Test a matching 'userreg' string. --> <xsl:when test='stsuuser:Attribute[@name="SubjectDN"] /stsuuser:Value = "cn=testuser3,o=ibm,c=au"'> !userreg base='o=ibm,c=au' attr='cn'!(description=<xsl:value-of select="stsuuser:Attribute[@name='SubjectEmail']/ stsuuser:Value"/>)! </xsl:when> - Details from Client Certificate:
-
<stsuuser:STSUniversalUser xmlns:stsuuser= "urn:ibm:names:ITFIM:1.0:stsuuser"> <stsuuser:Principal> <stsuuser:Attribute name="name"> <stsuuser:Value> cn=testuser3,o=ibm,c=au </stsuuser:Value> </stsuuser:Attribute> </stsuuser:Principal> <stsuuser:AttributeList> <stsuuser:Attribute name="SubjectDN" type= "urn:ibm:security:gskit"> <stsuuser:Value>cn=testuser3,o=ibm,c=au</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="SubjectEmail" type= "urn:ibm:security:gskit"> <stsuuser:Value>testuser3@ibm.com</stsuuser:Value> </stsuuser:Attribute> ... </stsuuser:AttributeList> </stsuuser:STSUniversalUser> - String returned from user registry:
-
cn=testuser3