Authentication Context Variables

The following table lists the context variables related to authentication requests.
gateway83
The following table lists the context variables related to authentication requests.
Variable
Description
${
<
target
>
.authenticateduser}
Returns the name of the most recently authenticated user by the
Layer7 API Gateway
y for the target message. This name may differ from that returned by
${<target>.username}
, which is the "raw" name retrieved from the credentials.
You can access additional user details about the authenticated user by appending the following suffixes:
  • .providerId
    : user's identity Provider ID
  • .id
    : user's identifier
  • .login
    : user's login ID
  • .firstName
    : user's first name
  • .lastName
    : user's last name
  • .emai
    l: user's email address
  • .department
    : user's department
  • .subjectDn
    : user's X.509 subject DN
For example,
${request.authenticateduser.id}
retrieves the user's ID from the request message.
If the policy is configured for multiple authentications, you can further append '.0', '.1', '.2', etc., suffixes to the context variable to retrieve the nth authenticated identity in the context. For example, use
${request.authenticateduser.0}
for the first authenticated identity,
${request.authenticateduser.1}
for the second authenticated identity in the context, an so on.
${
<
target
>
.authenticatedusers}
This is the multivalued version of
${<target>.authenticateduser}
. It returns all the authenticated user names in a true multivalued context variable that supports delimiters and indexing.
The indexing feature works similar to the numerical suffixes in <target>.authenticateduser. For example:
${request.authenticateduser.0}
=
${request.authenticatedusers.[0]}
,
${request.authenticateduser.1}
=
${request.authenticatedusers.[1]}
, and so on.
${
<
target
>
.authenticateddn}
Returns the DN (Distinguished Name) of the most recently authenticated user for the request by the
Layer7 API Gateway
.
If the policy is configured for multiple authentications, you can append '.0', '.1', '.2', etc., suffixes to the context variable to retrieve the nth authenticated DN in the context. For example, use ${request.authenticateddn.0} for the first authenticated DN,
${request.authenticateddn.1}
for the second authenticated DN in the context, and so on.
${
<
target
>
.authenticateddns}
This is the multi-valued version of
${<target>.authenticateddn}
. It returns all the authenticated DN in a true multivalued context variable that supports delimiters and indexing.
The indexing feature works similar to the numerical suffixes in <target>.authenticateddn. For example:
${request.authenticateddn.0}
=
${request.authenticateddns.[0]}
,
${request.authenticateddn.1}
=
${request.authenticateddns.[1]}
, and so on.
${
<
target
>
.buffer.allowed}
Returns one of the following strings:
  • true
    : Buffering is permitted for this message. This is the default setting. If the buffer status is currently "unread", using the message will move it to "buffered".
  • false
    : Buffering is not allowed for this message. If the buffer status is currently "unread", using the message will move it to "gone".
${
<
target
>
.password}
Returns the password (if available) as a plain text string from the user credentials for the target.
The Require HTTP Basic Credentials assertion must be present in the policy when using the ${<target>.password} variable.
${
<
target
>
.username}
Returns the user name as a plain text string from the user credentials for the target. This name may differ from the name returned by
${<target>.authenticateduser}
, which is the name on the authenticated user's account in an identity provider.
The Require HTTP Basic Credentials assertion must be present in the policy if using the
${<target>.username}
variable.
${request.identityMappings}
Returns a multivalued variable that contains every message context mapping.
Identity mapping information can also be obtained in a more easier-to-read format from the original variables defined in the Capture Identity of Requestor Assertion.
${request.identityMappings.length}
Returns the number of message context mappings associated with the request.
${request.identityMappings<X>} 
A zero-based index of the context mapping to be accessed/returned (for example, "[1]" returns the second recorded mapping).
The following are example values returned:
Mapping Type :CUSTOM_MAPPING
Mapping Key :KEY_CUSTOM_1
Mapping Value:SOME_CUSTOM_VALUE
or...
Mapping Type :IP_ADDRESS
Mapping Key :IP_ADDRESS
Mapping Value:10.242.12.174
${request.identityMappings.<X>.key}
Returns the KEY of the "X" recorded identity mapping. Examples of the key might be:
IP_ADDRESS
customThing
${request.identityMappings.<X>.value}
Returns the VALUE of the "X" recorded identity mapping. Examples of values might be:
127.0.0.1
WIDGET123
${request.identityMappings.<X>.type
}
Returns the TYPE of the "X" recorded identity mapping (not zero based), which is one of:
IP_ADDRESS
AUTH_USER
CUSTOM_MAPPING
${secpass.
<
name
>
.description}
Returns the description of the password with the name <
name
>.
This variable is available only if the password has been enabled for context variable reference. If not, it will return no values. For more information, see Stored Password Properties.
${secpass.
<
name
>
.plaintext}
Returns the actual stored password with the name <
name
>, in plain text.
This variable is available only if stored passwords are permitted to be referenced by context variables. If not, this variable returns no value. For more information, see Stored Password Properties.
This context variable may be used in system (that is, non-assertion) dialog boxes even when context variable reference
has
not been granted for stored passwords. For complete details, see "Permit use via context variable reference" in Stored Password Properties.