1.6 Setting Up an Identity Injection Policy

The Access Gateway lets you retrieve information from your LDAP directory and inject the information into HTML headers, query strings, or basic authentication headers. The Access Gateway can then send this information to the back-end Web servers. Access Manager calls this technology Identity Injection. Novell iChainĀ® calls it Object Level Access Control (OLAC). This is one of the features within Access Manager that enables single sign-on. The user is prompted once for the login credentials, and Access Manager then supplies them for the resources you have configured for Identity Injection.

This section explains how to set up an Identity Injection policy for basic authentication. This policy is assigned to the third directory on your Web server, the basic directory that your Web server has been configured to require basic authentication before allowing access.

  1. In the Administration Console, click Access Manager > Access Gateways > Edit > [Reverse Proxy Name] > [Proxy Service Name] > Protected Resources > New.

  2. Configure the resource for the basic directory as described in Section 1.2, Prerequisites for Setup.

    1. For the contract, select Name/Password - Basic or Name/Password - Form.

    2. For the URL path, enter the path to the basic directory (/basic/*).

    3. Click OK.

  3. Click [Protected Resource Name] > Identity Injection.

    On a new installation, the list is empty because no policies have been created.

  4. In the Identity Injection Policy List section, click Manage Policies.

  5. In the Policy List section, click New, then specify values for the following fields.

    Name: Specify a name for the Identity Injection policy.

    Type: Select Access Gateway: Identity Injection.

  6. Click OK.

  7. (Optional) Specify a description for the policy.

  8. In the Actions section, click New > Inject into Authentication Header.

  9. Set up the policy for User Name and Password:

    • For User Name, select Credential Profile and LDAP Credentials: LDAP User Name.

      This injects the value of the cn attribute into the header.

    • For Password, select Credential Profile and LDAP Credentials: LDAP Password.

    The policy should look similar to the following:

  10. Click OK twice, then click Apply Changes.

  11. Click Close.

  12. Select the new Identity Injection policy, then click Enable.

  13. To save the changes to browser cache, click OK.

  14. To apply your changes, click the Access Gateways link, then click Update > OK.

  15. To test this configuration from a client browser, enter the published DNS name as the URL in the browser. Click the link to the page using basic authentication.

    You are prompted to log in. If you have set up Web applications on your Web server that require login, any additional login prompts are hidden from the user and are handled by the identity injection system.

For an example of how Identity Injection policies can be used for single sign-on to the IDM User Application, see Configuring Access Manager for UserApp and SAML.