Solution

Background

The CA API Gateway can fetch customized attributes from an LDAP-based directory?such as Microsoft Active Directory or Tivoli Access Manager. The Gateway will map and return several default attributes that are useful for authenticating and authorizing users attepting to consume services published and protected by the Gateway. The default attributes that are mapped to an authenticated user are defined within the LDAP Identity Provider Wizard which is illustrated below for a generic LDAP directory:

<Please see attached file for image>

All directory servers are not created equal and this dialog allows a Gateway administrator to map LDAP attributes to logical entities used by the Gateway. The Gateway will query and map all of the attributes specified in the wizard above. Attributes can be ignored by leaving the attribute mapping field black. Attributes that are not specified in this wizard must be manually added. This article will prescribe the steps necessary to map custom attributes.

Implementaton

The LDAP Identity Provider Wizard allows an administrator to specify customized attributes to return from a directory. These attributes must be present and valid in the target directory. These attributes will be added to the LDAP query that authenticates a user account and they will be returned in the accompanying query result set. The screen capture below shows an example implementation of a Gateway attempting to return custom attributes from the naturalPerson object class.

<Please see attached file for image>

The Gateway can also be instructed to return all attributes for an authenticated user. This allows an administrator more flexibility to extract attributes from an authenticated user but can increase the load placed upon a directory server. It may increase the amount of time an authentication and authorization attempt will take as the Gateway waits for the attributes to be returned. It is not recommended that the Gateway be configured to?return all attributes for an authenticated user in a high-traffic production environment.

Retrieving the attributes from a directory for an authenticated user does not make them immediately available for use in plicy. The?Extract Attributes from Authenticated User?assertion allows a policy author or administrator to map expected attributes to context variables. These variables can then be leveraged in a published?service policy for policy enforcement. The screen capture below illustrates how to map retrieved attributes to context variables using the aforementioned assertion.

<Please see attached file for image>

These attributes are added manually by selecting the?Add?button. Selecting that button will result in the following dialog to appear. This dialog has been populated with an attribute and a context variable. The attribute must match literally to an attribute retrieved in the LDAP Identity Provider Wizard. The context variable will automatically be set to the name of the attribute but can be changed by the policy author. The Identity Attribute assertion can also allow for a customized variable prefix in case multiple assertions are required.

This assertion will create the following context variables as dictated by the View Info dialog of the Extract Attributes from Authenticated User assertion:

<Please see attached file for image>

These variables can be used throughout a published service policy in order to further adjudicate or execute a published service policy.