10.2 Viewing or Customizing the Attributes for Identity Injection

The connector for Simple Proxy can inject an authenticated user’s identity attributes in query strings and headers of communications sent from the appliance to the destination web service. The web server might use this information to determine whether the user should have access to the resource. It can also use the identity information to customize content on the web page. For example, when a user whose first name is Joe (as specified in the identity source) navigates to the destination web page, he might see Welcome: Joe at the top of his browser window.

10.2.1 Understanding Identity Attributes

In the connector for Simple Proxy, you can enable or disable the following identity injection policies. Both policies are enabled by default.

  • Inject Identity in Query: If you enable this option, when a user navigates to the connector’s destination web service, the service receives all of the user’s identity attributes in the query string.

    WARNING:Injecting attributes in the query string could exceed the maximum URL length of 2083 characters.

  • Inject Identity in Header: If you enable this option, when a user navigates to the connector’s destination web service, the service receives all of the user’s identity attributes as custom headers.

If you enable an injection policy, the connector sends all of the user’s identity attributes, even if the values are unavailable (empty). For some applications, this is still useful information and the web service can use it to make access or display decisions.

WARNING:If you use HTTP for communications between the connector and the web service, the injected identity attributes are available as clear text to network packet sniffers.

Although the proxy service runs behind the firewall, consider configuring the connector’s web service URL with HTTPS to protect the communication stream to the web service. If you use HTTPS, the value that you specify for the web server’s DNS name or IP address in the connector must match the CN in the web server's SSL certificate.

The attribute values in the query strings parameters or header parameters sent to the web server are based on the following options in the identity source user interface:

Identity Source Parameter

Query String Parameter

Header Parameter
  • ID
  • Email
  • User name
  • First name
  • Middle name
  • Last name
  • Full name
  • Preferred name
  • Generational qualifier
  • Gender
  • Phone
  • Birthdate
  • Street address
  • City
  • State
  • ZIP code
  • Country
  • Language
  • Identity Type
  • X-Custom1
  • X-Custom2
  • X-Custom3
  • X-Custom4
  • X-Custom5
  • ID
  • Email
  • UserName
  • FirstName
  • MiddleName
  • LastName
  • FullName
  • PreferredName
  • GenerationalQualifier
  • Gender
  • Phone
  • BirthDate
  • StreetAddress
  • City
  • State
  • ZipCode
  • Country
  • Language
  • IdentityType
  • XCustom1
  • XCustom2
  • XCustom3
  • XCustom4
  • XCustom5
  • X-ID
  • X-Email
  • X-UserName
  • X-FirstName
  • X-MiddleName
  • X-LastName
  • X-FullName
  • X-PreferredName
  • X-GenerationalQualifier
  • X-Gender
  • X-Phone
  • X-BirthDate
  • X-StreetAddress
  • X-City
  • X-State
  • X-ZipCode
  • X-Country
  • X-Language
  • X-IdentityType
  • X-XCustom1
  • X-XCustom2
  • X-XCustom3
  • X-XCustom4
  • X-XCustom5

The IdentityType parameter for query strings and headers indicates the type of identity source that the appliance uses to authenticate the user, such as Active Directory, eDirectory, Self-Service User Store (SSUS), and JDBC.

10.2.2 Viewing Identity Attribute Mappings to Identity Source Attributes

In your identity source, the identity attributes are mapped to identity source attributes. You can view mappings in your identity source connector. For example, in eDirectory, ID is mapped to the guid attribute, User name is mapped to the cn, and so on. You can change these mappings as needed for your environment, but any changes you make are global. You cannot change them on a per proxy or app basis.

To view identity attribute mappings in an identity source:

  1. Log in as an administrator to the CloudAccess administration console:

    https://appliance_dns_name/appliance/index.html

  2. In the Identity Sources panel, click the identity source, then click Configure.

  3. Expand Advanced Options.

  4. In the Attribute Mappings section, expand Default to view the list of the mappings of identity attributes to identity source attributes.

  5. If you modify the settings, click OK to save your changes, and then click Apply on the Admin page.

    Do not continue until the changes are applied to all nodes of the appliance cluster.

  6. Repeat this process for each identity source that manages users who will access the destination web server.

10.2.3 Configuring Custom Identity Attributes

An identity injection sends all identity attributes. You cannot specify only a subset of attributes, add attributes, or remove attributes. However, you can map the X-Custom<1-5> attributes to attributes in your identity source. Ensure that you map the appropriate identity source attribute to each custom attribute across all of the identity sources for users who will access the destination web server.

To configure custom identity attributes in your identity source:

  1. Log in as an administrator to the CloudAccess administration console:

    https://appliance_dns_name/appliance/index.html

  2. In the Identity Sources panel, click the identity source, then click Configure.

  3. Expand Advanced Options, then use the Attribute Mappings section to map custom attributes (X-Custom<1-5>) to attributes in your identity source.

  4. Click OK to save your changes, and then click Apply on the Admin page.

    Do not continue until the changes are applied to all nodes of the appliance cluster.

  5. Repeat this setup for each identity source that manages users who will access the destination web server.