In the WebSEAL configuration file, you can specify extended attributes from a user credential to add to the cross-domain single signon token. Extended attributes consist of information about a user identity that is added to an extended attribute list when a user credential is created. Extended attributes can be added by a number of authentication mechanisms, including external authentication C API services. The external authentication C API modules can be used, for example, to obtain user information from a registry that is external to Security Access Manager.
You can use this setting to customize the contents of the e-community single signon token. This feature enables you to tailor the token contents to match the needs of the destination domain. When you use this feature to add an attribute to a token, you must also configure the WebSEAL configuration file for the server in the destination domain. For the destination server, the stanza [ecsso-incoming-attributes] is used to specify the handling (extract or ignore) of each attribute.
You can specify extended attributes by name, or you can declare a pattern that matches multiple attribute names. You can use standard Security Access Manager wildcard-matching characters. For a list of supported wildcard pattern matching characters, see Supported wildcard pattern matching characters.
Each entry is assigned the name of the domain for which the token is intended. You can include multiple entries specifying names or patterns for each domain.
The syntax is:
[ecsso-token-attributes]
domain_name = pattern1
domain_name = pattern2
...
domain_name = patternN
<default> = pattern1
<default> = pattern2
...
<default> = patternN The <default> entry is optional. When WebSEAL does not find an entry that matches the domain name, WebSEAL looks for a <default> entry. If the configuration file contains a <default> entry, WebSEAL uses the assigned attribute patterns for the current domain. The string <default> is a keyword, and must be specified exactly as shown above, including the < and > characters.
Example: You are creating an e-community single signon solution between two domains: example1.com and example2.com. Users log in to example1.com but can get redirected to example2.com during the user session. Your deployment includes a customized external authentication C API module that inserts information into each user credential. The information includes a fixed name attribute "job_category" and a variable number of attributes, each prefixed with the characters "my_ext_attr_". This information needs to be added to the cross-domain token. The configuration file entries would be:
example2.com = job_category
example2.com = my_ext_attr_*