29.5 Configuring a Custom Header with Tags

Some Web applications require more than a name and a value to be injected into the custom header. Sometimes they require a custom name, a tag, and a value. Sometimes the application requires a custom name with multiple tags and values. The Inject into Custom Header with Tags option provides you with the flexibility to add such values to the custom header. For example, your application could be expecting the following custom header with tag:

X-Custom_Role Role=Manager

You can inject this information by setting the Custom Header Name to X-Custom, the Tag Name to Role, and the Tag Value to Manager. The value can be set as a static variable or you can retrieve it from various sources such as a Liberty User Profile attribute or the roles assigned to the current user.

  1. In the Administration Console, click Access Manager > Policies > New.

  2. Specify a name for the policy, select Access Gateway: Identity Injection for the type, then click OK.

  3. (Optional) Specify a description for the injection policy. This is useful if you plan to create multiple custom header policies to be used for multiple resources.

  4. In the Actions section, click New, then select Inject into Custom Header with Tags.

  5. Fill in the following fields:

    Custom Header Name: Specify the name that the application expects. If your application requires the X- prefix, make sure you include the prefix in this field.

    Tag Name: Specify the tag name that the application expects.

    Tag Value: Specify the value. Select from the following data types:

    • Authentication Contract: Injects the URI of a local authentication contract that the user used for authentication.

    • Client IP: Injects the IP address associated with the user.

    • Credential Profile: Injects the credentials that the user specified at login. You can select LDAP Credentials, > X509 Credentials, or SAML Credential. For more information, see Section 29.3, Configuring an Authentication Header Policy.

    • LDAP Attribute: Injects the value of the selected attribute.

    • Liberty User Profile: Injects the value of the selected attribute. If no profile attributes are available, you have not enabled their use in the Identity Server configuration. See Section 12.2, Enabling Web Services and Profiles.

    • Proxy Session Cookie: Injects the session cookie associated with the user.

    • Roles for Current User: Injects the roles that have been assigned to the user.

    • Shared Secret: Injects a value that has been stored in the selected shared secret store. The name specified as the Tag Name must match the name of a name/value pair stored in the shared secret.

      You can create your own value. Click New Shared Secret, specify a display name for the store, and the Access Manager creates the store. Select the store, click New Shared Secret Entry, specify a name for the attribute, then click OK. The name must match the expected Tag Name. The store can contain one name/value pair or a collection of name/value pairs. For more information, see Section 30.4, Creating and Managing Shared Secrets.

    • String Constant: Injects a static value that you specify in the text box. This value is used by all users who access the resources assigned to this policy.

    • Java Data Injection Module: Specifies the name of a custom Java plug-in, which injects custom values into the header. Usually, you can use either the LDAP Attribute or Liberty User Profile option to supply custom values, because both are extensible. For more information about creating a custom plug-in, see Novell Access Manager Developer Tools and Examples.

  6. To add multiple tag and value pairs to the custom name, click New in the Tags section.

    Use the up-arrow and down-arrow buttons to order the tags.

  7. Specify the format for the value:

    Multi-Value Separator: Select a value separator, if the value type you have select is multi-valued. For example, Roles for Current User can contain multiple values.

    DN Format: If the value is a DN, select the format for the DN:

    • LDAP: Specifies LDAP typed, comma notation: For example:

      cn=jsmith,ou=Sales,o=novell

    • NDAP Partial Dot Notation: Specifies eDirectory typeless, dot notation: For example:

      jsmith.sales.novell

    • NDAP Leading Partial Dot Notation: Specifies eDirectory typeless, leading dot notation.

      .jsmith.sales.novell

    • NDAP Fully Qualified Partial Dot Notation: Indicates eDirectory typed, dot notation. For example:

      cn=jsmith.ou=Sales.o=novell

  8. To save the policy, click OK twice, then click Apply Changes.