1. Introduction

 
Identity injection allows you to add information to the URL, Custom Header, or to the HTML page before it is posted to a Web server. The Web server uses this information to determine whether the user can access the resource, so it is the Web server that determines the information that you need to inject to allow access to the resource.

If you would like to know more about NAM Identity Injection policy. Please use this link: https://www.netiq.com/documentation/access-manager-42/admin/data/b5547ku.html

NAM provides multiple options (LDAP attribute, Client IP, OAuth Claims, etc.) to inject into URL, custom header, Cookie header, etc.

2. Business Requirement / Use cases

 
NAM provides an extensive list of options for injection and most of the time your requirement will meet with these options. But if you need to execute a business logic to determine the value which needs to be injected, NAM provides an opportunity to use Data Extension and develop your business logic using Java code.

NAM Developer Guide: https://www.netiq.com/documentation/access-manager-42/nacm_enu/data/bookinfo.html

3. Develop Data Extension

 

3.1 Prerequisite

 
You should have the following items before starting development:

  1. Java SDK 1.6 or above (click here to download)
  2. IDE for Java (Click here to download Eclipse)
  3. nxpe.jar file (can be copied from “/opt/novell/nesp/lib/webapp/WEB-INF/lib” location of Access Gateway server)

3.2 Create Java Project and Configure Eclipse

  1. Open eclipse IDE and go to File -> New -> Java Project. Enter Project Name.
  2. Right click on the project, go to Build Path -> Configure Build Path
  3. Click on “Java Build Path” on the left menu and go to “Libraries” tab
  4. Click on “Add External JARs…” button and select the nxpe.jar file.11
  5. Right click on the src (Under Java Project) and click on new -> Package and enter the package name.12

3.3 Develop Factory and Data Extension Class

  1. Right click on the package and go to new -> class and enter a class name (For example MyDataFactory). Copy the following code and replace everything in MyDataFactory class.
  2. MyDataFactory

  3. Right click on the package and go to new -> class and create another class (For example MyDataExtn). Copy the following code and replace everything in MyDataExtn class.
  4. MyDataExtn

Please see the following NetIQ documentation to understand the process flow of data extension.

Developer Guide: https://www.netiq.com/documentation/access-manager-42/nacm_enu/data/bookinfo.html

Sample Code: https://www.netiq.com/documentation/access-manager-developer-documentation/samplecodes/main.html

NAM Data Extension Example: https://www.netiq.com/documentation/access-manager-developer-documentation/samplecodes/nacm32/PolicyDataExtnTemplate/Readme_TemplateDataExtension_Example.pdf

3.4 Export JAR

  1. Right click on the Project and click on “Export…” menu. Choose JAR file and click on Next. 3
  2. Choose the export destination and click Next, Next and Finish. Leave all settings as default. 13

At this point you have created a Data Extension JAR file.

3.5 Upload JAR in Admin Console

  1. Go to Policies -> Extensions and click on “Upload…” button.
  2. 5

  3. Bowser the JAR file you have saved in section 3.4. If you are uploading same JAR file multiple times for testing your business logic, please check Overwrite existing *.jar file.

14

At this point you have uploaded the JAR file in Admin Console.

3.6 Create Policy Extension

  1. Click on “New…” and input following Information:
  2. 6
    Name: MyDataExtensionPolicy
    Description: This is my data extension policy
    Policy Type: Access Gateway: Identity Injection
    Type: Data
    Class Name: com.plugin.MyDataFactory
    File Name: MyDataExtension

    15

  3. Click on the Extension policy you have just created and provide one configuration parameter. If you look at the MyDataExtn.java file, the program is expecting employeeType in the business logic. You can provide this parameter to the extension class by using configuration parameters from the extension policy.

The ID given in the program and configuration parameters should match. For example I am providing employee_type with ID = 100.

16

3.7 Distribute Policy Extension to Access Gateway Server

 
Select the extension policy you just created and click on the “Distribute JARs” button

8

Click ok on the confirmation window. You must restart Access Gateway service after JAR distribution.

 

3.8 Use Policy Extension in Authorization Policy

  1. Go to Policies -> Policies -> Your Container and click “New…”
  2. Name: MyDataInjectionPolicy
    Type: Access Gateway: Identity Injection
    17

  3. Click on New -> Inject into custom header -> provide header name (for nameple employeeType). Choose value -> Data Extension -> MyDataExtensionPolicy

18

4. Test the Injection Policy

 
Assign the MyDataInjectionPolicy to any protected resources and check the injection data.

If any employee logs in, this policy will inject employeeType = Full Time Employee
If any Contractor or Vendor logs in, this policy will inject employeeType = Contractor
If any other use type logs in, this policy will inject empty value into employeeType parameter

Please check the /var/opt/novell/nam/logs/mag/tomcat/catalina.out log and you will find the log which you have printed from the java code.

Please contact me if you find any issues during development.

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
Koushik Halder
Aug 31, 2017
9:51 am
Reads:
624
Score:
5
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow