Novell ACCESS MANAGER 3.1 SP2 - POLICY GUIDE 2010 Manual page 119

The default contracts assign the cn attribute to the Credential Profile. If you have created a
custom contract that uses credentials other than the ones listed below, do not use the Credential
Profile as a condition.
If your user store is an Active Directory server, the SAMAccountName attribute is used for the
username and stored in the cn field of the LDAP Credential Profile.
Depending upon what the user must supply for authentication, select one of the following:
LDAP Credentials: If you prompt the user for a username, select this option, then select
either LDAP User Name (the cn attribute of the user) or LDAP User DN (the fully
distinguished name of the user). Your Web server requirements determine which one you
use.
X509 Credentials: If you prompt the user for a certificate, select this option, then select
one of the following options depending upon your Web server requirements.
X509 Public Certificate Subject: Injects just the subject field from the certificate,
which can match the DN of the user, depending upon who issued the certificate.
X509 Public Certificate Issuer: Injects just the issuer field from the certificate,
which is the name of the certificate authority (CA) that issued the certificate.
X509 Public Certificate: Injects the entire certificate.
X509 Serial Number: Injects the certificate serial number.
SAML Credential: Although this option is available for the username, most applications
that use SAML assertions use them for the user's password. For the username, you should
probably select an option that allows you to supply the user's name, such as LDAP
Credentials or LDAP Attribute.
Your Web server requirements determine the data type you select for the username. LDAP,
X509, and SAML credentials are available from the Credential Profile. If you have created a
custom contract that uses a credential other than the ones listed in the Credential Profile, you
can select one of the following values to insert into the header as the username:
Authentication Contract: Injects the URI of the authentication contract the user used for
authentication.
Client IP: Injects the IP address associated with the user.
LDAP Attribute: Injects the value of the selected attribute. For Active Directory servers,
specify the SAMAccountName attribute for the username. If the attribute you require does
not appear in the list, click New LDAP Attribute to add the attribute.
The Refresh Data Every option allows you to determine when to send a query to the
LDAP server to verify the current value of the attribute. Because querying the LDAP
server slows down the processing of a policy, LDAP attribute values are normally cached
for the user session.
Change the value of this option from session to a more frequent interval only on those
attributes that are critical to the security of your system or to the design of your work flow.
You can select to cache the value for the session, for the request, or for a time interval
varying from 5 seconds to 60 minutes.
For more information, see
Liberty User Profile: Injects the value of the selected attribute. If no profile attributes are
available, you have not enabled their use in the Identity Server configuration. See
"Managing Web Services and
Server Guide.
Section 4.1.1, "Using the Refresh Data Option," on page
Profiles" in the Novell Access Manager 3.1 SP2 Identity
116.
Creating Identity Injection Policies 119