A long time ago, I created a couple of tables which described how the various attributes end up in a WebSEAL credential.
Following a discussion thread on this community, I thought it would be interesting to revisit these tables for an Access Manager environment using the AAC Authentication Service.  I hope you find this enlightening.

This first table shows the attributes found in a user credential built when a user authenticates using the built-in username/password mechanism of WebSEAL.  It also shows which part of WebSEAL provides the attribute:

CDAS	AZN_CRED_AUTHNMECH_INFO
WebSEAL builds PAC	AUTHENTICATION_LEVEL
	AZN_CRED_AUTH_METHOD
	AZN_CRED_USER_INFO
	AZN_CRED_QOP_INFO
	AZN_CRED_BROWSER_INFO
	AZN_CRED_IP_FAMILY
	AZN_CRED_NETWORK_ADDRESS_BIN
	AZN_CRED_NETWORK_ADDRESS_STR
	groups
	tagvalue_max_concurrent_web_sessions
AM Credential Create	AZN_CRED_PRINCIPAL_DOMAIN
	AZN_CRED_PRINCIPAL_NAME
	AZN_CRED_PRINCIPAL_UUID
	AZN_CRED_MECH_ID
	AZN_CRED_AUTHZN_ID
	AZN_CRED_GROUPS
	AZN_CRED_GROUP_REGISTRY_IDS
	AZN_CRED_GROUP_UUIDS
	AZN_CRED_REGISTRY_ID
	AZN_CRED_VERSION
WebSEAL – Cred Modification	tagvalue_login_user_name
	tagvalue_user_session_id
	tagvalue_session_index

This next table shows the same information for a credential built following authentication using the AAC advanced authentication service.  In this case the AAC "Point of Contact" configuration was set to "Username and Extended Attributes" profile.  You would get the same attributes if using the "Non-Access Manager Username" profile:

AAC Attributes	authenticationMechanismTypes
	authenticationTypes
AAC PoC (return username)	AZN_CUSTOM_ATTRIBUTES
WebSEAL builds PAC	AUTHENTICATION_LEVEL
	AZN_CRED_AUTH_METHOD
	AZN_CRED_USER_INFO
	AZN_CRED_QOP_INFO
	AZN_CRED_BROWSER_INFO
	AZN_CRED_IP_FAMILY
	AZN_CRED_NETWORK_ADDRESS_BIN
	AZN_CRED_NETWORK_ADDRESS_STR
	groups
	tagvalue_max_concurrent_web_sessions
AM Credential Create	AZN_CRED_PRINCIPAL_DOMAIN
	AZN_CRED_PRINCIPAL_NAME
	AZN_CRED_PRINCIPAL_UUID
	AZN_CRED_MECH_ID
	AZN_CRED_AUTHZN_ID
	AZN_CRED_REGISTRY_ID
	AZN_CRED_GROUPS
	AZN_CRED_GROUP_REGISTRY_IDS
	AZN_CRED_GROUP_UUIDS
	AZN_CRED_VERSION
WebSEAL – Cred Modification	tagvalue_login_user_name
	tagvalue_user_session_id
	tagvalue_session_index

You can see that this method provides *almost* the same attribute set as native authentication by WebSEAL.  This is because WebSEAL is building the credential in both cases.  The differences are simply in the attributes being provided to that process.

The final table shows the attributes in a credential built following authentication using the same AAC advanced authentication service but with the AAC "Point of Contact" configuration set to "Access Manager Credential" profile:

AAC Attributes	authenticationMechanismTypes
	authenticationTypes
AAC PoC (build PAC)	AZN_CRED_AUTH_METHOD
	AZN_CRED_PRINCIPAL_NAME
	AZN_CRED_PRINCIPAL_UUID
	AZN_CRED_MECH_ID
	AZN_CRED_VERSION
	AZN_CRED_AUTHNMECH_INFO
WebSEAL – Cred Modification	tagvalue_login_user_name
	tagvalue_user_session_id
	tagvalue_session_index

You can see that the result here is quite different!  This is because the AAC creates and sends a very basic Access Manager credential which is consumed directly by WebSEAL. WebSEAL is not involved in creating the credential and so the WebSEAL PAC code and the underlying Access Manager credential build code are NOT called.  The only input WebSEAL has to the credential attributes are the three attributes added to the credential by the cred modification code.

If you look at the attributes that are missing from the credential when using the AAC "Access Manager Credential" profile you could rightly assume that many functions of WebSEAL will not work as expected.  This includes group-based ACLs, IP-range POPs, and concurrent web session limitations.

If you must use the "Acces Manager Credential" profile, and you want to use these features, you must customize your AAC code to add the attributes required to support them.
#ISAM