Configure Access Manager to Use Custom and Complex Identity Injection Logic Using Data Extension

Configure Access Manager to Use Custom and Complex Identity Injection Logic Using Data Extension

1. Introduction


 
Identity injection allows you to add information to the URL, Custom Header, or to the HTML page before it is posted to a Web server. The Web server uses this information to determine whether the user can access the resource, so it is the Web server that determines the information that you need to inject to allow access to the resource.

If you would like to know more about NAM Identity Injection policy. Please use this link: https://www.netiq.com/documentation/access-manager-42/admin/data/b5547ku.html

NAM provides multiple options (LDAP attribute, Client IP, OAuth Claims, etc.) to inject into URL, custom header, Cookie header, etc.

2. Business Requirement / Use cases


 
NAM provides an extensive list of options for injection and most of the time your requirement will meet with these options. But if you need to execute a business logic to determine the value which needs to be injected, NAM provides an opportunity to use Data Extension and develop your business logic using Java code.

NAM Developer Guide: https://www.netiq.com/documentation/access-manager-42/nacm_enu/data/bookinfo.html

3. Develop Data Extension


 

3.1 Prerequisite


 
You should have the following items before starting development:

    1. Java SDK 1.6 or above (click here to download)

 

    1. IDE for Java (Click here to download Eclipse)

 

    1. nxpe.jar file (can be copied from “/opt/novell/nesp/lib/webapp/WEB-INF/lib” location of Access Gateway server)




3.2 Create Java Project and Configure Eclipse



    1. Open eclipse IDE and go to File -> New -> Java Project. Enter Project Name.

 

    1. Right click on the project, go to Build Path -> Configure Build Path

 

    1. Click on “Java Build Path” on the left menu and go to “Libraries” tab

 

    1. Click on “Add External JARs…” button and select the nxpe.jar file.11

 

    1. Right click on the src (Under Java Project) and click on new -> Package and enter the package name.12



3.3 Develop Factory and Data Extension Class



    1. Right click on the package and go to new -> class and enter a class name (For example MyDataFactory). Copy the following code and replace everything in MyDataFactory class.



MyDataFactory

    1. Right click on the package and go to new -> class and create another class (For example MyDataExtn). Copy the following code and replace everything in MyDataExtn class.


MyDataExtn
Please see the following NetIQ documentation to understand the process flow of data extension.

Developer Guide: https://www.netiq.com/documentation/access-manager-42/nacm_enu/data/bookinfo.html

Sample Code: https://www.netiq.com/documentation/access-manager-developer-documentation/samplecodes/main.html

NAM Data Extension Example: https://www.netiq.com/documentation/access-manager-developer-documentation/samplecodes/nacm32/PolicyDataExtnTemplate/Readme_TemplateDataExtension_Example.pdf

3.4 Export JAR



    1. Right click on the Project and click on “Export…” menu. Choose JAR file and click on Next. 3

 

    1. Choose the export destination and click Next, Next and Finish. Leave all settings as default. 13



At this point you have created a Data Extension JAR file.

3.5 Upload JAR in Admin Console



    1. Go to Policies -> Extensions and click on “Upload…” button.



5

    1. Bowser the JAR file you have saved in section 3.4. If you are uploading same JAR file multiple times for testing your business logic, please check Overwrite existing *.jar file.



14

At this point you have uploaded the JAR file in Admin Console.

3.6 Create Policy Extension




    1. Click on “New…” and input following Information:



6
Name

      : MyDataExtensionPolicy


Description

      : This is my data extension policy


Policy Type

      : Access Gateway: Identity Injection


Type

      : Data


Class Name

      : com.plugin.MyDataFactory


File Name

      : MyDataExtension



15

    1. Click on the Extension policy you have just created and provide one configuration parameter. If you look at the MyDataExtn.java file, the program is expecting employeeType in the business logic. You can provide this parameter to the extension class by using configuration parameters from the extension policy.



The ID given in the program and configuration parameters should match. For example I am providing employee_type with ID = 100.

16

3.7 Distribute Policy Extension to Access Gateway Server


 
Select the extension policy you just created and click on the “Distribute JARs” button

8

Click ok on the confirmation window. You must restart Access Gateway service after JAR distribution.

 

3.8 Use Policy Extension in Authorization Policy



    1. Go to Policies -> Policies -> Your Container and click “New…”


Name

      : MyDataInjectionPolicy


Type

      : Access Gateway: Identity Injection


17

    1. Click on New -> Inject into custom header -> provide header name (for nameple employeeType). Choose value -> Data Extension -> MyDataExtensionPolicy



18

4. Test the Injection Policy


 
Assign the MyDataInjectionPolicy to any protected resources and check the injection data.

If any employee logs in, this policy will inject employeeType = Full Time Employee
If any Contractor or Vendor logs in, this policy will inject employeeType = Contractor
If any other use type logs in, this policy will inject empty value into employeeType parameter

Please check the /var/opt/novell/nam/logs/mag/tomcat/catalina.out log and you will find the log which you have printed from the java code.

Please contact me if you find any issues during development.

Labels (2)
Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
2 of 2
Last update:
‎2020-01-31 11:58
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.