Specify the attributes to add to the credential
The attributes to add to the credential are configured in several stanzas.
About this task
Add this information to the WebSEAL configuration file.
Review the following example entry.
[TAM_CRED_ATTRS_SVC]
eperson = azn_cred_registry_id
group = cn=enterprise, o=tivoli
[TAM_CRED_ATTRS_SVC:eperson]
tagvalue_credattrs_lastname = sn
tagvalue_credattrs_employeetype = employeetype
tagvalue_credattrs_address = homepostaladdress
tagvalue_credattrs_email = mail
[TAM_CRED_ATTRS_SVC:group]
tagvalue_credattrs_businesscategory = businesscategory
The
stanza name [TAM_CRED_ATTRS_SVC] is the Service
ID. Inside this stanza are sources of attributes to be retrieved.
The source names, such as eperson
and group
are
used to identify the source location in the registry. You need to
define these. The values for these sources are registry identifiers
that exist in the registry. The values can be existing credential
attribute names. If this is the case, the service automatically finds
and uses the respective values.
Procedure
For example, in an LDAP user registry, the DN for a user might be
cn=joeuser, o=tivoli
For this user, the LDAP user registry entries might be:
sn=Smith
employeetype=bankteller
homepostaladdress="3004 Mission St Santa Cruz CA 95060"
mail=joeuser@bigco.com
For the group cn=enterprise,o=tivoli, the LDAP group registry entry might be:
businesscategory=finance
Using these example configuration entries, the attribute list returned has the following entries:
Attribute name | Attribute value |
---|---|
credattrs_lastname | Smith |
credattrs_employeetype | bankteller |
credattrs_address | 3004 Mission St Santa Cruz CA 95060 |
credattrs_email | joeuser@example.com |
credattrs_businesscategory | finance |
Note that the service, source, and attributes can be multi-valued. If you specify the same attribute name as a stanza entry keyword, then the attributes retrieved will be added as a multi-valued attribute even when they come from different sources.
For example, more
than one entitlement service can be chained together. This enables
values retrieved from one service to be used as input values for another
service. Likewise, attributes can be retrieved from more than one
DN in the user registry. Thus, using the example above, you could
add values from multiple users (DNs) to one credattrs_businesscategory
attribute,
if you wanted a list of all the businesscategory
entries
for a group of users.
myemployeeinfo
to add to the credential, and
you want this attribute to contain the last name and employee type
of everyone that authenticates, you could then define the following: [myID]
source = azn_cred_authzn_id
[myID:source]
myemployeeinfo = lastname
myemployeeinfo = employeetype