Defining Shared Settings; Configuring Attribute Sets - Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual

Defining Shared Settings

6
You can define shared settings so that they can be reused and are available in any Identity Server
cluster configuration. The settings include:
Attribute sets: Sets of attributes that are exchangeable between identity and service providers.

 User matching expressions: The logic of the query to the user store for identification when an
assertion is received from an identity provider.
Shared Secret names: Custom shared secret names that you want to be available when

configuring policies.
LDAP attributes: Custom LDAP attribute names that you want to be available when

configuring policies.
Authentication card images: Custom images that you can assign to authentication cards to

uniquely identify an authentication procedure.
These features are configurable from the Shared Setting tab on the Identity Servers page.
This section describes the following tasks:
Section 6.1, "Configuring Attribute Sets," on page 173

 Section 6.2, "Editing Attribute Sets," on page 176
Section 6.3, "Configuring User Matching Expressions," on page 176

Section 6.4, "Adding Custom Attributes," on page 178

 Section 6.5, "Adding Authentication Card Images," on page 180
Section 6.6, "Creating an Image Set," on page 181


6.1 Configuring Attribute Sets

The attributes you specify on the Identity Server are used in attribute requests and responses,
depending on whether you are configuring a service provider (request) or identity provider
(response). Attribute sets provide a common naming scheme for the exchange. For example, an
attribute set can map an LDAP attribute such as givenName to the equivalent remote name used at
the service provider, which might be firstName. These shared attributes can then be used for policy
enforcement, user identification, and data injection.
For example, you could have a Web server application that requires the user's e-mail address. For
this scenario, you configure the Web server to be a protected resource of the Access Gateway, and
you configure an Identity Injection policy to add the user's email address to a custom HTTP header.
When the user accesses the protected resource, the value of the email attribute is retrieved. However,
if you create an attribute set with this attribute, then assign it to be sent with the authentication
response of the Embedded Service Provider of the Access Gateway, the value is cached at
authentication and is immediately available. If you have multiple attributes that you are using in
policies, obtaining the values in one LDAP request at authentication time can reduce the amount of
LDAP traffic to your user store.
You can define multiple attribute sets and assign them to different trusted relationships. You can also
use the same attribute set for multiple trusted relationships.
6
Defining Shared Settings 173