You can select attributes that an identity provider sends in an authentication request or that a service provider receives in an authentication response. The attributes are selected from an attribute set, which you can create or select from a list of already defined sets (see Section 6.1, Configuring Attribute Sets).
For best performance, you should configure the trusted providers to use attribute sets, especially for attributes that have static values such as a user’s e-mail address, employee ID, or phone number. It reduces the traffic between the provider and the LDAP server, because the attribute information can be gathered in one request at authentication rather than in a separate request for each attribute when a policy or protected resource needs the attribute information.
When the Identity Server creates its request to send to the identity provider, it uses the attributes that you have selected. The request asks the identity provider to provide values for these attributes. You can then use these attributes to create policies, to match user accounts, or if you allow provisioning, to create a user account on the service provider.
In the Administration Console, click
> > > > > .(Conditional) To create an attribute set, select
from the drop-down menu.An attribute set is a group of attributes that can be exchanged with the trusted provider. For example, you can specify that the local attribute of any attribute in the Liberty profile (such as Informal Name) matches the remote attribute specified at the service provider.
Specify a set name, then click
.On the Define Attributes page, click
.Select a local attribute.
Optionally, provide the name of the remote attribute and a namespace.
Click
.For more information on this process, see Section 6.1, Configuring Attribute Sets.
To add other attributes to the set, repeat Step 2.b through Step 2.e.
Click
.Select an attribute set
Select attributes from the
list, and move them to the left side of the page.The attributes that you move to the left side of the page are the attributes you want to be obtained during authentication.
Click
twice.Update the Identity Server.
When the Identity Server creates its response for the service provider, it uses the attributes listed on the Attributes page. The response needs to contain the attributes that the service provider requires. If you do not own the service provider, you need to contact the administrator of the service provider and negotiate which attributes you need to send in the response. The service provider can then use these attributes to identify the user, to create policies, to match user accounts, or if it allows provisioning, to create a user accounts on the service provider.
In the Administration Console, click
> > > > > .(Conditional) To create an attribute set, select
from the drop-down menu.An attribute set is a group of attributes that can be exchanged with the trusted provider. For example, you can specify that the local attribute of any attribute in the Liberty profile (such as Informal Name) matches the remote attribute specified at the service provider.
Specify a set name, then click
.On the Define Attributes page, click
.Select a local attribute.
Optionally, you can provide the name of the remote attribute and a namespace.
Click
.For more information on this process, see Section 6.1, Configuring Attribute Sets.
To add other attributes to the set, repeat Step 2.b through Step 2.e.
Click
.Select an attribute set
Select attributes from the
list, and move them to the left side of the page.The left side of the page lists the attributes that you want sent in an assertion to the service provider.
Click
twice.Update the Identity Server.
You can configure the Embedded Service Provider (ESP) of the Access Gateway to receive attributes when the user authenticates. LDAP traffic is reduced and performance is improved when the required LDAP attribute values are retrieved during authentication. This improvement is easily seen when you have many users and you have configured Identity Injection or Authorization policies to protect resources and these policies use LDAP attributes or Identity Server roles.
When the authentication process does not gather the LDAP attribute values, each user access can generate a new LDAP query, depending upon how the user accesses the resources and how the policies are defined. However, if the LDAP values are gathered at authentication, one LDAP query can retrieve all the needed values for the user.
In the Administration Console, click
> > Shared Settings.On the Attributes page, click
, specify a name, then click .For each attribute you need to add because it is used in a policy:
Click
.In the
drop-down list, scroll to LDAP Attribute section, then select the attribute.Click
.The other fields do not need to be configured.
If you use Identity Server roles in your policies, click
, select the All Roles attribute, then click .Click
.This saves the attribute set.
Click
> > .Click the name of the Embedded Service Provider.
If the Embedded Service Provider is part of a cluster of Access Gateways, the default name is the cluster name. If the Access Gateway is not part of a cluster, the default name is the IP address of the Access Gateway.
Click
.For the attribute set, select the set you created for the Embedded Service Provider.
Select attributes from the
list, then move them to the left side of the page.Click
, then update the Identity Server.