Managing attributes

Attributes provide a mechanism to include more attributes to share with an application. The attributes can contain specific information such as company name or user attributes that are obtained from the user-authenticated session. The attributes that are defined in Directory > Attributes are used for attribute mapping during application onboarding in Sign-on. For applications that support lifecycle, attributes can also be mapped through Applications > Applications > Gear icon > Account lifecycle.

Before you begin

  • You must have administrative permission to complete this task.
  • Log in to the IBM® Security Verify administration console as an Administrator.

About this task

Verify can act as a single sign-on identity provider or a service provider. In this task, Verify is the identity provider, and the target application is the service provider.

Verify includes a default set of attribute sources from Cloud Directory, as described in Table 1. These Built-in built-in attribute sources are considered global or applicable to any Verify subscription.
Note: You cannot delete built-in attribute sources. However, you can perform limited editing on a built-in attribute. You can
  • Modify the tagging (Provisioning and Single sign-on).
  • Add more identity source credential maps.
  • Modify the default value.

Define other attribute sources that are not available by default if the application service provider requires the identity provider to include them in the SAML assertion. Otherwise, you do not need to create more attribute sources.

Table 1. Built-in attribute sources
Name Value Description
department department Name of the department where the user is a member.
email email Email address of the user where notification is sent.
employee_id employee_id Unique identifier of the user in the organization.
family_name family_name Surname of the user.
given_name given_name Given name of the user.
groupIds groupIds Group display names from the Verify cloud directory.
job_title job_title Job title of the user in the organization.
mobile_number mobile_number Mobile number of the user where notification is sent.
name name A combination of the given_name and family_name.
preferred_username preferred_username Username that is used to log in to the identity provider.
realmName realmName It is an identity provider attribute that helps distinguish users from multiple identity providers that have the same username.

It uses the Realm value that is provided in the Authentication > Identity providers panel.

For the following identity providers:
  • Cloud Directory, the realm value is cloudIdentityRealm.
  • IBMid, the realm value is www.ibm.com.
  • SAML Enterprise, the realm value can be any unique name that you assigned when you created the identity provider.
  • OnPrem LDAP, the realm value can be any unique name that you assigned when you created the identity provider.
  • Apple, the realm value is www.apple.com.
  • Baidu, the realm value is www.baidu.com.
  • Facebook, the realm value is www.facebook.com.
  • GitHub, the realm value is www.github.com.
  • Google, the realm value is www.google.com.
  • LinkedIn, the realm value is www.linkedin.com.
  • QQ, the realm value is www.qq.com.
  • Renren, the realm value is www.renren.com.
  • WeChat, the realm value is www.wechat.com.
  • Weibo, the realm value is www.wiebo.com.
  • X, the realm value is www.twitter.com.
  • Yahoo, the realm value is www.yahoo.com.

If Realm was not defined in Identity providers, realmName is mapped to the SAML authentication request realmName attribute.

If there is no incoming realmName attribute, realmName is derived from the SAML authentication response saml:Issuer data; the SAML issuer name.
tenantId tenantId A unique identifier that is assigned to the Verify subscription.
uid uid Unique identifier of the user in the Verify cloud directory.
You can perform the following tasks:

Procedure

  1. Select Directory > Attributes.
    The attributes are displayed with their name, source, description, and availability. You can use the search function to find a specific attribute.
  2. Optional: Select Filters to filter the results.
    You can search with one of the following filters options:
    Available for
    The filter selections are SSO, user profile display, and provisioning.
    Attribute value type
    The filter selections are built-in attribute, custom attribute, and identity source credentials and application profile.
  3. Create an attribute.
    1. Select Add Attribute.
      The Add Attribute page is displayed.
    2. Select the type of attribute that you want to add.
      Custom attribute
      This type of attribute can be used for provisioning or single sign-on or both.
      Advanced rule
      This type of attribute can be used to add or transform an attribute by using a code editor to apply functions and conditions.
      Identity source credential
      This type of attribute can be used for single sign-on only.
      Fixed value
      This type of attribute can be used for provisioning or single sign-on or both.
      Application profile
      This type of attribute can be used for provisioning through an application schema.
    3. Specify the purpose of the attribute.
    4. Select Next.
    5. Specify the following information for the attribute:
      Attribute name
      Specify a unique name that is easy to identify when you map the attribute to an application.
      Attribute ID
      Optionally, you can specify an identifier for the attribute.
      Description
      Optionally, provide an explanation about the attribute.
    6. Select Next.
    7. Specify the following information for the type of attribute that you are creating.
      Custom attributes
      • If you do not want to use the concatenated attribute name as the identifier, you can specify a different identifier.
        Note: The identifier cannot contain spaces, hyphens (-), or underscores (_).
      • Specify the data type and the availability from the menu.
      • Select whether to hash the value of the attribute. This option is available only if string is selected as the data type. This option also disables the Unique across all users in the directory constraint. Cloud Directory supports up to 10 LDAP hashed attributes.
        Note: After the attribute is saved, the hash option cannot be changed.
      • Select the identity provider for the attribute values from the menu and specify the attribute name. You can specify multiple providers and attribute names.
      • Select View additional settings to set a default value and a transformation.
      Advanced rule
      1. Specify the data type from the menu.
      2. Write your custom Common Expression Language (CEL) based rule in the code editor. See Attribute functions to understand how to write custom rules.
      3. To test your rule, select Show.
      4. On the left side, your own Cloud Directory user SCIM object is populated. It is used as a default input to your custom rule. You can use the Find user option to test the rule with another Cloud Directory user. You can add dummy data to the SCIM object to test changes. You can also add or substitute the iduser object for the user property as input to your rule.
      5. Select Run test. Continue testing your rule until you are satisfied with the results.
      See Attribute functions and Configuring attributes with custom functions.

      Go to Step j.

      Identity source credential
      • Select the identity source for the attribute values from the menu and specify the attribute name. You can specify multiple sources and attribute names.
      • Specify the data type from the menu.
      • Select View additional settings to set a default value and a transformation.
      Go to Step j.
      Fixed value
      • Specify the value that applies to all users.
      • Specify the data type from the menu.
      Go to Step j.
      Attribute profile
      • Specify an identifier for your attribute.
        Note: The identifier cannot contain spaces or special characters. You can use hyphens (-) and underscores (_).
      • Specify the data type from the menu.
      Go to Step j.
    8. Select Next.
      This step is for Custom attributes only.
    9. Add Constraints.
      This step is for Custom attributes only.
      1. Select how the user can interact with the attribute. Select one or more checkboxes.
        Utilize email format
        Validation options differ per format.
        Select type of validation
        No additional validation
        Regular expression (regex)
        Specify permitted values
        Domain names allowed
        Domain names disallowed
        Value must be empty
        Note: If you select Regular expression (regex) , you must include the regular expression in the box field below. By selecting the email format checkbox, the type of validation Value must be empty becomes available of the options.
        Read-only for user
        The user cannot edit the value after the account is created.
        Mandatory for user
        The field is required for user accounts and registration.
        Unique across all users in the directory
        The value cannot be the same value as another user's value in the same directory. If the Hash values option is selected for a custom attribute, this option is disabled.
      2. Select the type of validation.
        Regular expression (regex)
        Provide the expression.
        Specify permitted values
        Provide a value. You can select Add value to add more values.
        Value must be empty
        No value can be specified for the attribute. If this validation is chosen, Read-only for user is the only option that is available.
    10. Select Add attribute.
      You are returned to the Attributes page and the attribute is displayed in the list of attributes.
  4. Update an attribute.
    1. Use the search function to find a specific attribute.
    2. Optional: Select Filters to filter the results.
      You can search by
      Available for
      The filter selections are none, sso, user profile display, and provisioning.
      Attribute value type
      The filter selections are built-in attribute, custom attribute, and Identity source credentials.
    3. Select the attribute and select the Edit icon.
      You can also select the attribute to view its details and select the Edit from the details pop-out. From the details pop-out, you can also view and connect to the applications that consume the attribute.
      The Edit Attribute page is displayed.
    4. Edit the attribute information.
      Note: If you change the purpose of the attribute, existing applications that consume the attribute can continue to use the attribute for the original purpose. The attribute name is changed to Untagged attribute in the application and is listed under Deprecated in the drop-down menu. For example, if the Single sign-on (SSO) check-box is cleared on an existing attribute, applications that already consume that attribute for SSO can continue to use it for SSO. However, it is not available for SSO use on any new applications. The same is true for provisioning.

      You can view the applications that consume the attribute from the attribute details pop-out. Remap the application to use a different attribute for that purpose.

      The Hash value option cannot be changed.

      If an attribute is used by a dynamic role and you change the behavior of that attribute, you must reload the attribute in the dynamic role.

    5. Select Save.
  5. Delete an attribute.
    Note: You cannot delete an attribute when it is used in a cloud application connection or if it is a built-in attribute. You can view the applications that consume the attribute from the attribute details pop-out. You can connect to those applications from the pop-out to remove the attribute. The attribute must be removed from all the applications that consume it before the attribute can be deleted.
    1. Select the Edit icon in the application information.
      You can also select the attribute to view its details and select the Editfrom the details pop-out.
    2. Confirm that you want to permanently delete the selected attribute.