Hi Giriraj,
If your connection from AD was a federation (SAML etc.) connection then it would be relatively simple to create an additional attribute in the credential using the SP JavaScript mapping rule. However, looks like your Active Directory is a federated directory... with Verify Access reading it directly over LDAPS.
In that case, I don't think there is an opportunity to perform any attribute manipulation during the login process... so, unless there is a suitable attribute already in AD user record, you'd have to split this into two actions:
1) Add an HTTP header using the user principal - this can be done with HTTP Tag Value or in configuration file
2) Use an XSLT HTTP Transformation Rule on the response to modify the header value (remove the domain suffix).
For (1), use the [header-names] stanza - that's the easiest approach. For example, use this line:
credattr{AZN_CRED_PRINCIPAL_NAME} = X-Principal
To add X-Principal header.
If you want to only send to a single junction, add an extended attribute to the junction object with:
name: HTTP-Tag-Value
value: AZN_CRED_PRINCIPAL_NAME=X-Principal
For (2), you need to write an XSLT rule. This can be tricky but there are examples here:
https://github.com/IBM-Security/isam-support/tree/master/config-example/webseal/http-transformations/responseThis one looks close to what you need:
https://github.com/IBM-Security/isam-support/blob/master/config-example/webseal/http-transformations/response/response-modify-header.xsltI hope this helps.
Jon.
------------------------------
Jon Harry
Senior Technical Sales Enablement Specialist
Identity and Access Management
IBM Technology, Worldwide
------------------------------
Original Message:
Sent: Wed May 25, 2022 08:19 PM
From: Giriraj Dave
Subject: Custom header and transformation - (Active Directory Attribute)
We have a federated active directory on version 10.0.0.2. We see the users in Policy Administration, but we don't have an attribute that we can use as user id other than the user principal name (which is a mail address). The iv-user therefore comes in as firstname.lastname@domain.com.
How can we define a custom header, lets says ABC_USER, which has the value firstname.lastname@domain.com? We also need to transform this header value, so that it only contains the firstname.lastname and the domain name is dropped? I am aware that the value for iv-user cannot be changed, so we are trying to insert a custom header, which could be consumed by the application.
I have gone through some of the documentation for this, but the examples are lacking.
------------------------------
Giriraj Dave
------------------------------