Configure Access Manager to Inject Data Using Virtual Attribute


1. Introduction

Identity injection allows you to add information to the URL, Custom Header, or to the HTML page before it is posted to a Web server. The Web server uses this information to determine whether the user can have access to the resource, so it is the Web server that determines the information that you need to inject to allow access to the resource.

If you would like to know more about NAM Identity Injection policy. Please use the following link:

NAM provides multiple options (LDAP attribute, Client IP, OAuth Claims etc.) to inject into the URL, custom header, Cookie header, etc.

2. Business Requirement / Use cases

NAM out of the box injection values are static and meet the requirements most of time. But if you need to inject dynamic values or need to perform some modification (like Capitalize of any LDAP attribute, extract CN value from DN format), NAM has given you the opportunity to use Virtual Attribute.

Please go through the following URL to learn about Virtual Attribute:

3. Configure Virtual Attribute


3.1 Create Data Source

    1. Go to Identity Servers -> Shared Setting -> Data Source


    1. Click on sign and create your data source

3.2 Create Attribute Source

    1. Go to Identity Servers -> Shared Setting -> Virtual Attributes -> Attribute Source and add an attribute source.


    1. Specify an attribute source Name, description of the attribute source and select Data Source Name.
      Provide input parameters: This the input parameter name (P1) and it should contain any value (like user id, employee id, global id etc.) which can be used to uniquely identify the user from the Data Source. In my example, I have given sAMAccountName as unique identifier.

Provide filter and output parameters: Specify an LDAP filter that must use the input details specified in the Provide input parameters section

Filter: sAMAccountName=%P1%
Filter Output Name: memberOf


3.3 Create Virtual Attribute and Test

      1. Go to Identity Servers -> Shared Setting -> Virtual Attributes -> Virtual Attribute and click on sign to create a virtual attribute


    1. Provide input parameter P1: memberOf

My example will retrieve the CN value of user’s group and capitalize it.

Select a function: Advanced: Javascript
Script: Copy and paste following javascript

function main( P1 ){
return capitalizeGroupCN(P1);
function capitalizeGroupCN(attribute){
var result = [];
if(attribute instanceof Array){
var j =0;
for(var i=0; i<attribute.length; i ){
var group = getGroupCN(attribute[i]);
result[j ] = convertToUpperCase(group);
var group = getGroupCN(attribute);
result[0] = convertToUpperCase(group);
return result;

function getGroupCN(group){
var startindex = 3;// it starts with cn
var endindex = group.indexOf(",");
return group.substring( startindex, endindex);

function convertToUpperCase (attribute){
var result ;
if(attribute instanceof Array){
result = [];
for(var i=0; i<attribute.length; i )
result[i] = attribute[i].toUpperCase();
result = attribute.toUpperCase();
return result;

You can test your script by providing a few Test Values. Here is the example:



3.4 Create in Identity Injection Policy

Create Access Gateway Identity Injection policy and use Virtual Attribute as follows.


4. Test the Injection Policy

Assign the Identity Injection policy to your protected resource and look for the groupName header variable. You will find the user’s group name in upper case.

Please comment here if you have any questions or queries.


How To-Best Practice
Comment List