Mechanisms for adding registry attributes to a credential

Edit online

You can configure an external service to add attributes to a user credential.

The WebSEAL authentication process accesses the Security Verify Access user registry and builds a credential for the user. The credential contains user information that is needed to make access decisions such as the user name and the list of groups to which the user belongs.

WebSEAL supports several different mechanisms (services) that allow administrators and application developers to extend the authentication process. When WebSEAL conducts the authentication process, it checks to see if any external services have been implemented and configured. When they have, WebSEAL calls those services. The services can do their own processing to build a list of extended attributes about the user identity. These extended attributes are added to the user credential.

The following service is supported:

Registry attribute entitlement service

This entitlement service is built-in to Security Verify Access by default. This service is an implementation of a class of Security Verify Access entitlement services known as credential attribute entitlement services. The registry attribute entitlement service obtains specified user information from a user registry (such as an LDAP user registry) and inserts the data into an attribute list in the user credential. This built-in registry attribute entitlement service is a generic entitlement service that can be used by many resource managers. This service takes the place of a previous method that required administrators to add "tag/value" entries to the [ldap-ext-creds-tag] stanza in the pd.conf configuration file. For configuration information, see Configure a registry attribute entitlement service.

Note: Note that Security Verify Access provides additional built-in entitlement services that can be used to add additional information. These additional services, however, obtain the additional information from sources other than user registry entries. For example, the extended attribute entitlement service obtains information from ACLs and POPs in the protected resource object space. For more information about entitlement services, see the IBM Knowledge Center.