7.8 Selecting Attributes for a Trusted Provider

You can select attributes that an identity provider sends in an authentication request or that a service provider receives in an authentication response. The attributes are selected from an attribute set, which you can create or select from a list of already defined sets (see Section 6.1, Configuring Attribute Sets).

For best performance, you should configure the trusted providers to use attribute sets, especially for attributes that have static values such as a user’s e-mail address, employee ID, or phone number. It reduces the traffic between the provider and the LDAP server, because the attribute information can be gathered in one request at authentication rather than in a separate request for each attribute when a policy or protected resource needs the attribute information.

7.8.1 Configuring the Attributes Obtained at Authentication

When the Identity Server creates its request to send to the identity provider, it uses the attributes that you have selected. The request asks the identity provider to provide values for these attributes. You can then use these attributes to create policies, to match user accounts, or if you allow provisioning, to create a user account on the service provider.

  1. In the Administration Console, click Devices > Identity Servers > Edit > [Protocol] > [Identity Provider] > Attributes.

  2. (Conditional) To create an attribute set, select New Attribute Set from the Attribute Set drop-down menu.

    An attribute set is a group of attributes that can be exchanged with the trusted provider. For example, you can specify that the local attribute of any attribute in the Liberty profile (such as Informal Name) matches the remote attribute specified at the service provider.

    1. Specify a set name, then click Next.

    2. On the Define Attributes page, click New.

    3. Select a local attribute.

    4. Optionally, provide the name of the remote attribute and a namespace.

    5. Click OK.

      For more information about this process, see Section 6.1, Configuring Attribute Sets.

    6. To add other attributes to the set, repeat Step 2.b through Step 2.e.

    7. Click Finish.

  3. Select an attribute set

  4. Select attributes from the Available list, and move them to the left side of the page.

    The attributes that you move to the left side of the page are the attributes you want to be obtained during authentication.

  5. Click OK twice.

  6. Update the Identity Server.

7.8.2 Configuring the Attributes Sent with Authentication

When the Identity Server creates its response for the service provider, it uses the attributes listed on the Attributes page. The response needs to contain the attributes that the service provider requires. If you do not own the service provider, you need to contact the administrator of the service provider and negotiate which attributes you need to send in the response. The service provider can then use these attributes to identify the user, to create policies, to match user accounts, or if it allows provisioning, to create a user accounts on the service provider.

  1. In the Administration Console, click Devices > Identity Servers > Edit > [Protocol] > [Service Provider] > Attributes.

    IDP attributes
  2. (Conditional) To create an attribute set, select New Attribute Set from the Attribute Set drop-down menu.

    An attribute set is a group of attributes that can be exchanged with the trusted provider. For example, you can specify that the local attribute of any attribute in the Liberty profile (such as Informal Name) matches the remote attribute specified at the service provider.

    1. Specify a set name, then click Next.

    2. On the Define Attributes page, click New.

    3. Select a local attribute.

    4. Optionally, you can provide the name of the remote attribute and a namespace.

    5. Click OK.

      For more information about this process, see Section 6.1, Configuring Attribute Sets.

    6. To add other attributes to the set, repeat Step 2.b through Step 2.e.

    7. Click Finish.

  3. Select an attribute set

  4. Select attributes from the Available list, and move them to the left side of the page.

    The left side of the page lists the attributes that you want sent in an assertion to the service provider.

  5. Click OK twice.

  6. Update the Identity Server.

7.8.3 Sending Attributes to the Embedded Service Provider

You can configure the Embedded Service Provider (ESP) of the Access Gateway to receive attributes when the user authenticates. LDAP traffic is reduced and performance is improved when the required LDAP attribute values are retrieved during authentication. This improvement is easily seen when you have many users and you have configured Identity Injection or Authorization policies to protect resources and these policies use LDAP attributes or Identity Server roles.

When the authentication process does not gather the LDAP attribute values, each user access can generate a new LDAP query, depending upon how the user accesses the resources and how the policies are defined. However, if the LDAP values are gathered at authentication, one LDAP query can retrieve all the needed values for the user.

  1. In the Administration Console, click Devices > Identity Servers > Shared Settings.

  2. On the Attributes page, click New, specify a name, then click Next.

  3. For each attribute you need to add because it is used in a policy:

    1. Click New.

    2. In the Local attribute drop-down list, scroll to LDAP Attribute section, then select the attribute.

    3. Click OK.

      The other fields do not need to be configured.

  4. If you use Identity Server roles in your policies, click New, select the All Roles attribute, then click OK.

  5. Click Finish.

    This saves the attribute set.

  6. Click Servers > Edit > Liberty.

  7. Click the name of the Embedded Service Provider.

    If the Embedded Service Provider is part of a cluster of Access Gateways, the default name is the cluster name. If the Access Gateway is not part of a cluster, the default name is the IP address of the Access Gateway.

  8. Click Attributes.

  9. For the attribute set, select the set you created for the Embedded Service Provider.

  10. Select attributes from the Available list, then move them to the left side of the page.

  11. Click OK, then update the Identity Server.