Configure Access Manager to Use Custom and Complex Identity Injection Logic Using Data Extension
Identity injection allows you to add information to the URL, Custom Header, or to the HTML page before it is posted to a Web server. The Web server uses this information to determine whether the user can access the resource, so it is the Web server that determines the information that you need to inject to allow access to the resource.
If you would like to know more about NAM Identity Injection policy. Please use this link: https://www.netiq.com/documentation/access-manager-42/admin/data/b5547ku.html
NAM provides multiple options (LDAP attribute, Client IP, OAuth Claims, etc.) to inject into URL, custom header, Cookie header, etc.
2. Business Requirement / Use cases
NAM provides an extensive list of options for injection and most of the time your requirement will meet with these options. But if you need to execute a business logic to determine the value which needs to be injected, NAM provides an opportunity to use Data Extension and develop your business logic using Java code.
NAM Developer Guide: https://www.netiq.com/documentation/access-manager-42/nacm_enu/data/bookinfo.html
3. Develop Data Extension
You should have the following items before starting development:
- Java SDK 1.6 or above (click here to download)
- IDE for Java (Click here to download Eclipse)
- nxpe.jar file (can be copied from “/opt/novell/nesp/lib/webapp/WEB-INF/lib” location of Access Gateway server)
3.2 Create Java Project and Configure Eclipse
- Open eclipse IDE and go to File -> New -> Java Project. Enter Project Name.
- Right click on the project, go to Build Path -> Configure Build Path
- Click on “Java Build Path” on the left menu and go to “Libraries” tab
- Click on “Add External JARs…” button and select the nxpe.jar file.
- Right click on the src (Under Java Project) and click on new -> Package and enter the package name.
3.3 Develop Factory and Data Extension Class
- Right click on the package and go to new -> class and enter a class name (For example MyDataFactory). Copy the following code and replace everything in MyDataFactory class.
- Right click on the package and go to new -> class and create another class (For example MyDataExtn). Copy the following code and replace everything in MyDataExtn class.
Please see the following NetIQ documentation to understand the process flow of data extension.
Developer Guide: https://www.netiq.com/documentation/access-manager-42/nacm_enu/data/bookinfo.html
Sample Code: https://www.netiq.com/documentation/access-manager-developer-documentation/samplecodes/main.html
NAM Data Extension Example: https://www.netiq.com/documentation/access-manager-developer-documentation/samplecodes/nacm32/PolicyDataExtnTemplate/Readme_TemplateDataExtension_Example.pdf
3.4 Export JAR
- Right click on the Project and click on “Export…” menu. Choose JAR file and click on Next.
- Choose the export destination and click Next, Next and Finish. Leave all settings as default.
At this point you have created a Data Extension JAR file.
3.5 Upload JAR in Admin Console
- Go to Policies -> Extensions and click on “Upload…” button.
- Bowser the JAR file you have saved in section 3.4. If you are uploading same JAR file multiple times for testing your business logic, please check Overwrite existing *.jar file.
At this point you have uploaded the JAR file in Admin Console.
3.6 Create Policy Extension
- Click on “New…” and input following Information:
- : MyDataExtensionPolicy
- : This is my data extension policy
- : Access Gateway: Identity Injection
- : Data
- : com.plugin.MyDataFactory
- : MyDataExtension
- Click on the Extension policy you have just created and provide one configuration parameter. If you look at the MyDataExtn.java file, the program is expecting employeeType in the business logic. You can provide this parameter to the extension class by using configuration parameters from the extension policy.
The ID given in the program and configuration parameters should match. For example I am providing employee_type with ID = 100.
3.7 Distribute Policy Extension to Access Gateway Server
Select the extension policy you just created and click on the “Distribute JARs” button
Click ok on the confirmation window. You must restart Access Gateway service after JAR distribution.
3.8 Use Policy Extension in Authorization Policy
- Go to Policies -> Policies -> Your Container and click “New…”
- : MyDataInjectionPolicy
- : Access Gateway: Identity Injection
- Click on New -> Inject into custom header -> provide header name (for nameple employeeType). Choose value -> Data Extension -> MyDataExtensionPolicy
4. Test the Injection Policy
Assign the MyDataInjectionPolicy to any protected resources and check the injection data.
If any employee logs in, this policy will inject employeeType = Full Time Employee
If any Contractor or Vendor logs in, this policy will inject employeeType = Contractor
If any other use type logs in, this policy will inject empty value into employeeType parameter
Please check the /var/opt/novell/nam/logs/mag/tomcat/catalina.out log and you will find the log which you have printed from the java code.
Please contact me if you find any issues during development.