6.4 Adding Custom Attributes

You can add custom shared secret names or LDAP attribute names that you want to make available for selection when setting up policies.

6.4.1 Creating Shared Secret Names

The shared secret consists of a secret name and one or more secret entry names. You can create a secret name only, or a secret name and an entry name. For ease of use, the entry name should match the policy that uses it:

  • For a Form Fill policy, the entry name should match a form field name.

  • For an Identity Injection policy, the entry name should match the Custom Header Name.

  • For an External Attributes policy, Secret Name should match the policy name and Secret Entry Name should match the attribute name configured while creating the policy.

    For example, if the policy name is fetchattr and attribute name configured in the policy is address, then Secret Name should be fetchattr and Secret Entry Name should be address.

For more information about how to use shared secrets with policies, see Creating and Managing Shared Secrets in the NetIQ Access Manager 3.2 SP3 Policy Guide.

The Identity Server needs to be configured to use shared secrets. For information about this process, see Section 3.1.4, Configuring a User Store for Secrets.

Shared secret names can be created either on the Custom Attributes page or in the associated policy that consumes them.

  1. In the Administration Console, click Devices > Identity Servers > Shared Settings > Custom Attributes.

  2. To create shared secret names, click New.

    Shared secret name
  3. Enter a new shared secret name and, optionally, a secret entry name.

  4. Click OK.

  5. (Optional) To create additional entries for the secret, click the name of the secret, click New, specify an entry name, then click OK.

WARNING:The Identity Server currently has no mechanism to determine whether a secret is being used by a policy. Before you delete a shared secret, you must ensure that it is not being used.

6.4.2 Creating LDAP Attribute Names

LDAP attributes are available for all policies. LDAP attribute names can be created either on the Custom Attributes page or in the associated policy that consumes them. The attribute names that you specify must match the name of an attribute of the user class in your LDAP user store.

  1. In the Administration Console, click Devices > Identity Servers > Shared Settings > Custom Attributes.

    This list contains the attributes for the inetOrgPerson class. It is customizable.

    audio: Uses a u-law encoded sound file that is stored in the directory.

    businessCategory: Describes the kind of business performed by an organization.

    carLicense: Vehicle license or registration plate.

    cn: The X.500 commonName attribute, which contains a name of an object. If the object corresponds to a person, it is typically the person’s full name.

    departmentNumber: Identifies a department within an organization.

    displayName: The preferred name of a person to be used when displaying entries. When displaying an entry, especially within a one-line summary list, it is useful to use this value. Because other attribute types such as cn are multivalued, an additional attribute type is needed.

    employeeNumber: Numerically identifies a person within an organization.

    employeeType: Identifies the type of employee.

    givenName: Identifies the person’s name that is not his or her surname or middle name.

    homePhone: Identifies a person by home phone.

    homePostalAddress: Identifies a person by home address.

    initials: Identifies a person by his or her initials. This attribute contains the initials of an individual, but not the surname.

    jpegPhoto: Stores one or more images of a person, in JPEG format.

    labeledURI: Uniform Resource Identifier with an optional label. The label describes the resource to which the URI points.

    mail: A user’s e-mail address.

    manager: Identifies a person as a manager.

    mobile: Specifies a mobile telephone number associated with a person.

    o: The name of an organization.

    pager: The pager telephone number for an object.

    photo: Specifies a photograph for an object.

    preferredLanguage: Indicates an individual’s preferred written or spoken language.

    roomNumber: The room number of an object.

    secretary: Specifies the secretary of a person.

    sn: The X.500 surname attribute, which contains the family name of a person.

    uid: User ID.

    userCertificate: An attribute stored and requested in the binary form.

    userPKCS12: A format to exchange personal identity information. Use this attribute when information is stored in a directory service.

    userSMIMECertificate: PKCS#7 SignedData used to support S/MIME. This value indicates that the content that is signed is ignored by consumers of userSMIMECertificate values.

    x500uniqueIdentifier: Distinguishes between objects when a distinguished name has been reused. This is a different attribute type from both the uid and the uniqueIdentifier type.

  2. To add a name:

    1. Click New.

    2. If you want the attribute to return raw data rather binary data, select 64-bit Encode Attribute Data.

    3. Click OK.

  3. To modify the 64-bit attribute data encoding, click an attribute’s check box, then click one of the following links:

    Set Encode: Specifies that LDAP returns a raw format of the attribute rather than binary format, which Access Manager encodes to base64, so that the protected resource understands the attribute. You might use base64 encoding if you use certificates that require raw bites rather than binary string format.

    Clear Encode: Deletes the 64-bit data encoding setting.

  4. Click Apply to save changes, then click the Servers tab to return to the Servers page.