Specify the attributes to add to the credential

The attributes to add to the credential are configured in several stanzas.

About this task

Add this information to the WebSEAL configuration file.

Review the following example entry.

[TAM_CRED_ATTRS_SVC]
eperson = azn_cred_registry_id
group = cn=enterprise, o=tivoli

[TAM_CRED_ATTRS_SVC:eperson]
tagvalue_credattrs_lastname = sn
tagvalue_credattrs_employeetype = employeetype
tagvalue_credattrs_address = homepostaladdress
tagvalue_credattrs_email = mail

[TAM_CRED_ATTRS_SVC:group]
tagvalue_credattrs_businesscategory = businesscategory

The stanza name [TAM_CRED_ATTRS_SVC] is the Service ID. Inside this stanza are sources of attributes to be retrieved. The source names, such as eperson and group are used to identify the source location in the registry. You need to define these. The values for these sources are registry identifiers that exist in the registry. The values can be existing credential attribute names. If this is the case, the service automatically finds and uses the respective values.

Procedure

Configure the registry attributes for each of the sources under the service stanza in a separate stanza. The syntax of the separate stanza is the service ID library name followed by a colon (:) and then the source name. This connection is necessary because more than one service can be configured in the same file. The configuration file entries contain mappings of user registry attributes to user-defined credential attributes.

For example, in an LDAP user registry, the DN for a user might be 

cn=joeuser, o=tivoli

For this user, the LDAP user registry entries might be:

sn=Smith
employeetype=bankteller
homepostaladdress="3004 Mission St Santa Cruz CA 95060"
mail=joeuser@bigco.com

For the group cn=enterprise,o=tivoli, the LDAP group registry entry might be:

businesscategory=finance

Using these example configuration entries, the attribute list returned has the following entries:

Attribute name Attribute value
credattrs_lastname Smith
credattrs_employeetype bankteller
credattrs_address 3004 Mission St Santa Cruz CA 95060
credattrs_email joeuser@example.com
credattrs_businesscategory finance

Note that the service, source, and attributes can be multi-valued. If you specify the same attribute name as a stanza entry keyword, then the attributes retrieved will be added as a multi-valued attribute even when they come from different sources.

For example, more than one entitlement service can be chained together. This enables values retrieved from one service to be used as input values for another service. Likewise, attributes can be retrieved from more than one DN in the user registry. Thus, using the example above, you could add values from multiple users (DNs) to one credattrs_businesscategory attribute, if you wanted a list of all the businesscategory entries for a group of users.

For example, if you want to build an attribute called myemployeeinfo to add to the credential, and you want this attribute to contain the last name and employee type of everyone that authenticates, you could then define the following: 
[myID]
source = azn_cred_authzn_id 

[myID:source]
myemployeeinfo = lastname 
myemployeeinfo = employeetype