Extract Attributes for Authenticated User Assertion
The Extract Attributes for Authenticated User assertion is used to create context variables based on the attributes of a previously authenticated user. The context variables created here are primarily intended to be used by the Create SAML Token assertion, but they can be read by any assertion that uses context variables.
Extract Attributes for Authenticated Userassertion is used to create context variables based on the attributes of a previously authenticated user. The context variables created here are primarily intended to be used by the Create SAML Token assertion, but they can be read by any assertion that uses context variables.
The context variables created by this assertion have user-defined names.
The Extract Attributes for Authenticated User assertion must be placed after the Authenticate User or Group assertion. If the Gateway is unable to authenticate a user, then no context variables will be created.
Using the Assertion
- Do one of the following:
- To add the assertion to the Policy Development window, see Adding an Assertion.
- To change the configuration of an existing assertion, proceed to step 2 below.
- When adding the assertion, the properties automatically appear; when modifying the assertion, right-clickExtract Attributes for Authenticated Userin the policy window and selectIdentity Attributes Properties. The assertion properties are displayed.
- Configure the properties as follows:SettingDescriptionIdentity ProviderSelect the identity provider from the drop-down list.Variable PrefixEnter a prefix that will be added to the context variables created by this assertion. This prefix will ensure uniqueness and will prevent the variables from overwriting each other when multiple instances of this assertion appear in a policy.The default isauthenticatedUser.For an explanation of the validation messages displayed, see Context Variable Validation.User/Group AttributeThis table lists the context variables that have been created for the identity provider and the attributes to be extracted from the authenticated user. Choose one of the following actions:
- To add a new context variable, click [Add] and then complete the User Attribute Mapping dialog in step 4.
- To change a context variable in the list, select it, click [Edit], and then complete the User Attribute Mapping dialog in step 4.
- To remove a context variable in the list, select it and then click [Remove].
- If adding or editing a context variable, the User Attribute Mapping dialog appears:
- Configure the dialog as follows:SettingDescriptionIdentity ProviderThe identity provider that was selected on the Identity Attributes dialog, displayed here for your reference.Built-In AttributeSelect this option to create a context variable based on a predefined attribute in the system. Choose the attribute to use from the drop-down list.Note: Not all identity providers can provide every attribute shown in the list. If you select a combination that results in no attribute, the resulting context variable will have no value.Custom AttributeSelect this option if you are using an LDAP identity provider and you wish to use an attribute not in the built-in list. Type the name of the custom attribute to use. The validator will give you instant feedback as to whether the attribute contains valid characters.Context Variable NameThe system displays the name of the context variable that will be created, based on the attribute specified and the prefix entered on the previous screen. You may edit the attribute portion of the name if necessary. The validator will give you instant feedback as to whether the variable name contains valid charactersMultivaluedSelect this check box if the variable is expected to hold multiple values and all values from the attribute should be stored in the context variable.Clear this check box if the context variable is not expected to be multivalued. Only the first value is stored, even if multiple values are present.For more information on using multivalued variables, including delimiter characters and concatenation options, see Working with Multivalued Context Variables.
- Click [OK]