29.3 Configuring an Authentication Header Policy

To inject values into the authentication header, you need to know what the Web server requires. For basic authentication, you need to inject the user name and password. For a sample policy for a Web server that requires the LDAP username and password to be injected into the header, see Setting Up an Identity Injection Policy in the Novell Access Manager 3.0 SP4 Setup Guide.

To create and configure an authentication header policy:

  1. In the Administration Console, click Access Manager > Policies > New.

  2. Specify a name for the policy, select Access Gateway: Identity Injection for the type, then click OK.

  3. (Optional) Specify a description for the injection policy. This is useful if you plan to create multiple policies to be used by multiple resources.

  4. In the Actions section, click New, then select Inject into Authentication Header.

  5. Fill in the User Name field.

    Select Credential Profile to insert the name the user entered when the user authenticated. This is the most common value type to use for user name. However, if you have created a custom contract that uses a credential other than the ones listed below, do not use the Credential Profile as the source for the information to inject into the Authentication Header.

    The default contracts assign the cn attribute to the Credential Profile. If your user store is an Active Directory server, the SAMAccountName attribute is used for the username and stored in the cn field of the LDAP Credential Profile.

    Depending upon what the user must supply for authentication, select one of the following:

    • LDAP Credentials: If you prompt the user for a user name, select this option, then select either LDAP User Name (the cn attribute of the user) or LDAP User DN (the fully distinguished name of the user). Your Web server requirements determine which one you use.

    • X509 Credentials: If you prompt the user for a certificate, select this option, then select one of the following. Your Web server requirements determine which one you use.

      • X509 Public Certificate Subject: Injects just the subject field from the certificate, which can match the DN of the user, depending upon who issued the certificate.

      • X509 Public Certificate Issuer: Injects just the issuer field from the certificate, which is the name of the certificate authority (CA) that issued the certificate.

      • X509 Public Certificate: Injects the entire certificate.

      • X509 Serial Number: Injects the certificate serial number.

    • SAML Credential: Although this option is available for the user name, most applications that use SAML assertions use them for the user’s password. For the user name, you should probably select an option that allows you to supply the user’s name, for example LDAP Credentials or LDAP Attribute.

    Your Web server requirements determine the data type you select for the user name. LDAP, X509, and SAML credentials are available from the Credential Profile.You can also select one of the following values to insert into the header as the user name:

    • Authentication Contract: Injects the URI of the authentication contract the user used for authentication.

    • Client IP: Injects the IP address associated with the user.

    • LDAP Attribute: Injects the value of the selected attribute. For Active Directory servers, specify the SAMAccountName attribute for the user name.

    • Liberty User Profile: Injects the value of the selected attribute. If no profile attributes are available, you have not enabled their use in the Identity Server configuration. See Section 12.2, Enabling Web Services and Profiles.

    • Proxy Session Cookie: Injects the session cookie associated with the user.

    • Roles for Current User: Injects the roles that have been assigned to the user.

    • Shared Secret: Injects the user name that has been stored in the selected shared secret store.

      You can create your own user name attribute. Click New Shared Secret, specify a display name for the store, and the Access Manager creates the store. Select the store, click New Shared Secret Entry, specify a name for the attribute, then click OK. The store can contain one name/value pair or a collection of name/value pairs. For more information, see Section 30.4, Creating and Managing Shared Secrets.

    • String Constant: Injects a static value that you specify in the text box. This name is used by all users who access the resources assigned to this policy.

    • Java Data Injection Module: Specifies the name of a custom Java plug-in, which injects custom values into the header. Usually, you can use either the LDAP Attribute or Liberty User Profile option to supply custom values, because both are extensible. For more information about creating a custom plug-in, see Novell Access Manager Developer Tools and Examples.

    The value type you use depends upon how you have set up the application.

  6. Fill in the Password field.

    Select Credential Profile to insert the password the user entered when the user authenticated. This is the most common value type to use for the password. Depending upon what the user must supply for authentication, select one of the following:

    • LDAP Credentials: If you prompt the user for a password, select this option, then select LDAP Password. If the user’s password is the same as the name of the user, you can select either LDAP User Name (the cn attribute of the user) or LDAP User DN (the fully distinguished name of the user).

    • X509 Credentials: If you use a certificate for the password, select this option, then select one of the following:

      • X509 Public Certificate Subject: Injects just the subject from the certificate, which can match the DN of the user, depending upon who issued the certificate.

      • X509 Public Certificate Issuer: Injects just the issuer from the certificate, which is the name of the certificate authority (CA) that issued the certificate.

      • X509 Public Certificate: Injects the entire certificate.

      • X509 Serial Number: Injects the certificate serial number.

    • SAML Credential: Injects the SAML assertion in the authentication header as the user’s password.

    Your Web server requirements determine the data type you select for the password. LDAP, X509, and SAML credentials are available from the Credential Profile. You can also select one of the following values to insert into the header as the password:

    • Authentication Contract: Injects the URI of a local authentication contract that the user used for authentication.

    • Client IP: Injects the IP address associated with the user.

    • LDAP Attribute: Injects the value of the selected attribute.

    • Liberty User Profile: Injects the value of the selected attribute.

    • Proxy Session Cookie: Injects the session cookie associated with the user.

    • Roles for Current User: Injects the roles that have been assigned to the user.

    • Shared Secret: Injects the password that has been stored in the selected shared secret store.

      You can create your own password attribute. Click New Shared Secret, specify a display name for the store, and the Access Manager creates the store. Select the store, click New Shared Secret Entry, specify a name for the attribute, then click OK. The store can contain one name/value pair or a collection of name/value pairs. For more information, see Section 30.4, Creating and Managing Shared Secrets.

    • String Constant: Injects a static value that you specify in the text box. This name is used by all users who access the resources assigned to this policy.

    • Java Data Injection Module: Specifies the name of a custom Java plug-in, which injects custom values into the header. Usually, you can use either the LDAP Attribute or Liberty User Profile option to supply custom values, because both are extensible. For more information about creating a custom plug-in, see Novell Access Manager Developer Tools and Examples.

    The value type you use depends upon how you have set up the application.

  7. Specify the format for the value:

    Multi-Value Separator: Select a value separator, if the value type you have select is multi-valued. For example, Roles for Current User can contain multiple values.

    DN Format: If the value is a DN, select the format for the DN:

    • LDAP: Specifies LDAP typed, comma notation: For example:

      cn=jsmith,ou=Sales,o=novell
      
    • NDAP Partial Dot Notation: Specifies eDirectory™ typeless, dot notation: For example:

      jsmith.sales.novell
      
    • NDAP Leading Partial Dot Notation: Specifies eDirectory typeless, leading dot notation.

      .jsmith.sales.novell
      
    • NDAP Fully Qualified Partial Dot Notation: Indicates eDirectory typed, dot notation. For example:

      cn=jsmith.ou=Sales.o=novell
      
  8. Click OK.

  9. (Optional) To add a second rule, click New in the Rule List.

    You can inject only one authentication header into an Identity Injection rule. However, your policy can have multiple rules. If you inject two authentication headers, each in a separate rule, the authentication header in the rule with the highest priority is applied, and the authentication header action in the second rule is ignored.

  10. To save the policy, click OK, then click Apply Changes.