Extract Attributes for Authenticated User Assertion

The Extract Attributes for Authenticated User assertion is used to create context variables based on the attributes of a previously authenticated user. The context variables created here are primarily intended to be used by the Create SAML Token assertion, but they can be read by any assertion that uses context variables.
gateway90
The
Extract Attributes for Authenticated User
assertion is used to create context variables based on the attributes of a previously authenticated user. The context variables created here are primarily intended to be used by the Create SAML Token assertion, but they can be read by any assertion that uses context variables.
The context variables created by this assertion have user-defined names.
The Extract Attributes for Authenticated User assertion must be placed after the Authenticate User or Group assertion. If the Gateway is unable to authenticate a user, then no context variables will be created.
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Adding an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. When adding the assertion, the properties automatically appear; when modifying the assertion, right-click
    Extract Attributes for Authenticated User
    in the policy window and select
    Identity Attributes Properties
    . The assertion properties are displayed.
  3. Configure the properties as follows:
    Setting
    Description
    Identity Provider
    Select the identity provider from the drop-down list.
    Variable Prefix
    Enter a prefix that will be added to the context variables created by this assertion. This prefix will ensure uniqueness and will prevent the variables from overwriting each other when multiple instances of this assertion appear in a policy.
    The default is
    authenticatedUser
    .
    For an explanation of the validation messages displayed, see Context Variable Validation.
    User/Group Attribute
    This table lists the context variables that have been created for the identity provider and the attributes to be extracted from the authenticated user. Choose one of the following actions:
    • To add a new context variable, click [
      Add
      ] and then complete the User Attribute Mapping dialog in step 4.
    • To change a context variable in the list, select it, click [
      Edit
      ], and then complete the User Attribute Mapping dialog in step 4.
    • To remove a context variable in the list, select it and then click [
      Remove
      ].
  4. If adding or editing a context variable, the User Attribute Mapping dialog appears:
  5. Configure the dialog as follows:
    Setting
    Description
    Identity Provider
    The identity provider that was selected on the Identity Attributes dialog, displayed here for your reference.
    Built-In Attribute
    Select this option to create a context variable based on a predefined attribute in the system. Choose the attribute to use from the drop-down list.
    Note: Not all identity providers can provide every attribute shown in the list. If you select a combination that results in no attribute, the resulting context variable will have no value.
    Custom Attribute
    Select this option if you are using an LDAP identity provider and you wish to use an attribute not in the built-in list. Type the name of the custom attribute to use. The validator will give you instant feedback as to whether the attribute contains valid characters.
    Context Variable Name
    The system displays the name of the context variable that will be created, based on the attribute specified and the prefix entered on the previous screen. You may edit the attribute portion of the name if necessary. The validator will give you instant feedback as to whether the variable name contains valid characters
    Multivalued
    Select this check box if the variable is expected to hold multiple values and all values from the attribute should be stored in the context variable.
    Clear this check box if the context variable is not expected to be multivalued. Only the first value is stored, even if multiple values are present.  
    For more information on using multivalued variables, including delimiter characters and concatenation options, see Working with Multivalued Context Variables.
  6. Click [
    OK
    ]
     
    when done.