Some applications require custom information in a query string of the URL. The
option allows you to inject this information without prompting the user for it. To inject the information, you must specify a tag name and a tag value. The tag name is what your application requires. For example, suppose your application expects the following query string for user jsmith:?name=jsmith
You can inject this information into the URL by specifying a name for the
and for the . The value type inserts the name that the current user specified when authenticating to the Access Gateway.In the Administration Console, click
> .Select the policy container, then click
.Specify a name for the policy, select
for the type, then click .(Optional) Specify a description for the injection policy.
In the
section, click , then select .Fill in the following fields:
Tag Name: Specify the tag name that the application expects.
Tag Value: Specify the value. Select from the following data types:
Authentication Contract: Injects the URI of a local authentication contract that the user used for authentication.
Client IP: Injects the IP address associated with the user.
Credential Profile: Injects the credentials that the user specified at login. You can select Section 4.3, Configuring an Authentication Header Policy.
> , or . For more information, seeLDAP Attribute: Injects the value of the selected attribute. For Active Directory servers, specify the SAMAccountName attribute for the username. If the attribute you require does not appear in the list, click
to add the attribute.The
option allows you to determine when to send a query to the LDAP server to verify the current value of the attribute. Because querying the LDAP server slows down the processing of a policy, LDAP attribute values are normally cached for the user session.Change the value of this option from session to a more frequent interval only on those attributes that are critical to the security of your system or to the design of your work flow. You can select to cache the value for the session, for the request, or for a time interval varying from 5 seconds to 60 minutes. For more information, see Section 4.1.1, Using the Refresh Data Option.
Liberty User Profile:
Injects the value of the selected attribute. If no profile attributes are available, you have not enabled their use in the Identity Server configuration. See Managing Web Services and Profiles
in the Novell Access Manager 3.1 SP2 Identity Server Guide.
Proxy Session Cookie: Injects the session cookie associated with the user.
Roles: Injects the roles that have been assigned to the user.
Shared Secret: Injects a value that has been stored in the selected shared secret store. The name specified as the Tag Name must match the name of a name/value pair stored in the shared secret.
You can create your own value. Click Section 5.4, Creating and Managing Shared Secrets.
, specify a display name for the store, and the Access Manager creates the store. Select the store, click , specify a name for the attribute, then click . The name you specify must match the Tag Name. The store can contain one name/value pair or a collection of name/value pairs. For more information, seeThe
option allows you to determine when to send a query to verify the current value of the secret. Because querying slows down the processing of a policy, secret values are normally cached for the user session.Change the value of this option from session to a more frequent interval only on those secrets that are critical to the security of your system or to the design of your work flow. You can select to cache the value for the session, for the request, or for a time interval varying from 5 seconds to 60 minutes. For more information, see Section 4.1.1, Using the Refresh Data Option.
String Constant: Injects a static value that you specify in the text box. This value is used by all users who access the resources assigned to this policy.
Java Data Injection Module: Specifies the name of a custom Java plug-in, which injects custom values into the header. Usually, you can use either the Novell Access Manager Developer Tools and Examples.
or option to supply custom values, because both are extensible. For more information about creating a custom plug-in, seeData Extension: (Conditional) If you have installed a data extension for Identity Injection policies, this option injects the value that the extension retrieves. For more information about creating a data extension, see Novell Access Manager Developer Tools and Examples.
(Optional) To add multiple tag and value pairs, click
in the section.You can inject only one query string into a rule, but you can inject multiple tag-name and tag-value pairs in the single query string.
Use the up-arrow and down-arrow buttons to order the tags.
Specify the format for the values:
Multi-Value Separator: Select a value separator, if the value type you have select is multi-valued. For example,
can contain multiple values.DN Format: If the value is a DN, select the format for the DN:
LDAP: Specifies LDAP typed comma notation.
cn=jsmith,ou=Sales,o=novell
NDAP Partial Dot Notation: Specifies eDirectory typeless dot notation.
jsmith.sales.novell
NDAP Leading Partial Dot Notation: Specifies eDirectory typeless leading dot notation.
.jsmith.sales.novell
NDAP Fully Qualified Partial Dot Notation: Indicates eDirectory typed dot notation.
cn=jsmith.ou=Sales.o=novell
NDAP Fully Qualified Leading Dot Notation: Indicates eDirectory typed leading dot notation.
.cn=jsmith.ou=Sales.o=novell
To save the policy, click
twice, then click .