7.4 Adding Custom Attributes

You can add custom shared secret names or LDAP attribute names that you want to make available for selection when setting up policies.

7.4.1 Creating Shared Secret Names

The shared secret consists of a secret name and one or more secret entry names. You can create a secret name only, or a secret name and an entry name. Shared secret names can be created either on this page or in the associated policy that consumes them.

  1. In the Administration Console, click Access Manager > Identity Servers > Shared Settings > Custom Attributes.

  2. To create shared secret names, click New.

    Shared secret name

  3. Enter a new shared secret name and, optionally, a secret entry name.

  4. Click OK.

WARNING:The Identity Server currently has no mechanism to determine whether a secret is being used by a policy. Before you delete a shared secret, you must make sure it is not being used.

7.4.2 Creating LDAP Attribute Names

LDAP attributes are available for all policies. You can add available attributes here, as well as on the Policies page. LDAP attribute names can be created either on this page or in the associated policy that consumes them.

  1. In the Administration Console, click Access Manager > Identity Servers > Shared Settings > Custom Attributes.

  2. Click New to add a name. This list is customizable. Examples of predefined LDAP attributes include:

    audio: Uses a u-law encoded sound file, stored in the directory.

    businessCategory: Describes the kind of business performed by an organization.

    carLicense: Vehicle license or registration plate.

    cn: The X.500 commonName attribute, which contains a name of an object. If the object corresponds to a person, it is typically the person’s full name.

    departmentNumber: Identifies a department within an organization.

    displayName: The preferred name of a person to be used when displaying entries. Identifies a name to be used. When displaying an entry, especially within a one-line summary list, it is useful to use this value. Because other attribute types such as cn are multivalued, an additional attribute type is needed.

    employeeNumber: Numerically identifies a person within an organization.

    employeeType: Identifies the type of employee.

    givenName: Identifies the person’s name that is not his or her surname or middle name.

    homePhone: Identifies a person by home phone.

    homePostalAddress: Identifies a person by home address.

    initials: Identifies a person by his or her initials. This attribute contains the initials of an individual, but not the surname.

    jpegPhoto: Stores one or more images of a person, in JPEG format.

    labeledURI: Uniform Resource Identifier with an optional label. The label describes the resource to which the URI points.

    mail: A user’s e-mail address.

    manager: Identifies a person as a manager.

    mobile: Specifies a mobile telephone number associated with a person.

    o: The name of an organization.

    pager: The pager telephone number for an object.

    photo: Specifies a photograph for an object.

    preferredLanguage: Indicates an individual’s preferred written or spoken language.

    roomNumber: The room number of an object.

    secretary: Specifies the secretary of a person.

    sn: The X.500 surname attribute, which contains the family name of a person.

    uid: User ID.

    userCertificate: An attribute stored and requested in the binary form.

    userPKCS12: A format to exchange personal identity information. Use this attribute when information is stored in a directory service.

    userSMIMECertificate: PKCS#7 SignedData used to support S/MIME. This value indicates that the content that is signed is ignored by consumers of userSMIMECertificate values.

    x500uniqueIdentifier: Distinguishes between objects when a distinguished name has been reused. This is a different attribute type from both the uid and the uniqueIdentifier type.

  3. To configure 64-bit attribute data encoding, click an attribute’s check box, then click one of the following links:

    Set Encode: Specifies that LDAP returns a raw format of the attribute rather than binary format, which Access Manager encodes to base 64, so that the protected resource understands the attribute. You might use base 64 encoding if you use certificates that require raw bites rather than binary string format.

    Clear Encode: Deletes the 64-bit data encoding setting.

  4. Click Apply to save changes, then click the Servers tab to return to the Servers page.