Introduction

 

Many organizations need or desire to process or filter user attributes after user authentication before share those attributes with any other service. Use cases are,

  1. Modify user attributes like changing email domain (runtime in memory) before sending any user information to Access Gateway.
  2. On Federation with third party SP when NAM acting as IDP, modify the user attributes to send special attribute or custom attribute values.

This can be achieved in multiple ways with NetIQ Access Manager.

  1. Writing external attribute source and consume this attribute in above use cases. NetIQ Access Manager – Adding External Data to SAML Assertions
  2. Writing custom authentication class to modify the user attributes and make them available for above use cases.
  3. Third method explained below is, how to modify or add attributes for user after authentication with NAM in simple steps with minimal coding. This approach is applied for NAM 4.0.1 onwards only.

Setup Information

 

NetIQ Access Manager Identity Server setup details

  1. Download ldap_attr_modify.zip file from the cool solution
  2. Extract zip file
  3. Copy the jar file to IDP server, file location to be copied is “/opt/novell/nam/idp/webapps/WEB-INF/lib”
  4. Restart IDP
  5. Find “attrfilter.jsp” in extracted file list
  6. Open “attrfilter.jsp” in notepad or in any of your favorite java IDE like eclipse etc.,
  7. If file find below statements
    /**
     	*	LDAPAttribute names array to be modified.
     	*
     	*/
    	final String m_attributeNames[] = {"givenName","carLicense"};
  8. Edit attributeNames array with your set of attributes to be added/modified for user. Make sure you use LDAP attribute name match while typing the name here. In above example “givenName” and “carLicense” are LDAP attributes planned to be modified.
  9. Find following method signature in the same JSP file
    private String getModifiedLDAPAttrValue(String attrName, String oldValue)
  10. In “getModifiedLDAPAttrValue” method, parameter “oldValue” represents value read from user store. Parameter “newValue” value has to be prepared here. Write a java code how new value will be computed, either it can be based “oldValue” or totally new value.
  11. Now User attribute modification code is read to use, copy the modified your customized copy of “attrfilter.jsp” to IDP, file location will be “/opt/novell/nam/idp/webapps/nidp/jsp”
  12. Now your code is ready to use. But it needs additional configuration at Admin console to make it complete
  13. Login to Admin Console
  14. Select contract where user will be authenticated under IDP configuration ‘ local tab ‘ contracts
  15. In contract page select “Login Redirect URL” text field (this field is added from NetIQ Access Manager 4.0.1, new field added on UI )
  16. Fill the following value,
    https://<<IDP dns and port>>/nidp/jsp/attrfilter.jsp?user=<USERID>&store=<STOREID>&returl=<RETURN_URL>
    E.g.,  https//namtest.com/nidp/jsp/attrfilter.jsp?user=<USERID>&store=<STOREID>&returl=<RETURN_URL>
  17. ldapattr-1

  18. Click OK and update IDP configuration.
  19. Now test your setup by authenticating user using contract configured with “Login Redirect URL” for user attribute modification. One sample test is, Create sample php or any web file and deploy on any server and accelerate this service and do Identity injection as custom headers to this service test page, test should print/write back to browser with complete request to what are injected

Using Custom LDAP attribute setup details

Use Case example:

Prepare custom attribute by joining two LDAP attributes, this custom attribute can be sent via federation to third party or NetIQ Access Gateway server.

Steps:

  1. Login to Admin Console
  2. Select shared settings tab and custom attributes section
  3. Under “LDAP Attribute Names” section click on “New”, Popup window shows up
  4. Enter your custom attribute name for example “mycustom1” and click “OK’
  5. Add this attribute to your existing attributeset or create new and assign “mycustom1” LDAP attribute
  6. ldapattr-2

  7. Use an above attributeset with IDFF for NetIQ Access Gateway policies or map this attribute with other federations like SAML2
  8. ldapattr-3

  9. Now custom code has to be added to “attrfilter.jsp”
  10. Example code is already added in jsp, uncomment below line in jsp (line 30)
    setCustomAttributeValue(request,"mycustom1");
  11. If you have crated custom attribute name as “mycustom1”, simply add this attribute to identity injection policy and test it.
  12. Example attribute modification in method “setCustomAttributeValue()” in JSP will add two attributes (givenName, carLicense) with “:”

Note: Modified attribute values might be available with Role policy, Not tested.

Please share your comments!!

2 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 52 votes, average: 5.00 out of 5 (2 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

One Comment

By: cstumula
Dec 4, 2014
12:16 pm
Reads:
4,103
Score:
5
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow