Before setting up an Identity Injection policy, you need to know the following about your Web application:
Does it require an authentication header? Does this header need just the user name or does it also need the password?
Does it use a custom header with custom names (x-names)? If so, you need to know their names and their expected values.
Does the custom header require any custom names (x-names) with tags? If so, gather this information.
Does the application expect specific values in the query string of the URL? If so, gather this information.
After gathering the information, you need to determine whether you need to create one policy with one rule, one policy with multiple rules, or multiple policies. If you have multiple applications that require the same type of authentication header, you might want to create an authentication header policy and separate policies for the application-specific information. You can then enable both the authentication header policy and the application-specific policy for the resource that is protecting the application. Everything defined in a policy is injected into the header, even if the values are empty because the Access Manager could not obtain the value for the item. For some applications, this is still useful information and the application uses it to make access decisions.
You should design your policies so that the application receives just what it needs. It should not inject custom names and values it does not use.
Whether you create a policy with one rule or multiple rules is a personal design decision. If you put all the actions in one rule, you have only one description field to describe the function of the policy. If you put each action type in a separate rule, you have multiple description fields to describe the function of the policy. Select the method that is easiest for you.
Rules are evaluated by priority. The first rule that is evaluated with an authentication header is processed, and the authentication header is rejected if it is found in any of the other rules. Your policy can inject only one authentication header, one cookie header, and one query string, but it can inject multiple custom headers and custom headers with tags.