Managing Attribute Sources
    • 01 Sep 2024
    • 7 Minutes to read
    • Dark
      Light
    • PDF

    Managing Attribute Sources

    • Dark
      Light
    • PDF

    Article summary

    Attribute Sources enable you to create Authorization Policies using information from multiple Identity Sources. These Sources can be defined locally or pulled from External Identity Sources within your Organization.  When creating a new Source, you need to define the Source Type. You can only select one Main Source per Workspace. Once Main has been selected, the option will be disabled (unless you edit the existing Main).

    Defining a New Identity Source

    To define a new Source:
    1. In the Identity Workspace, click the Settings Icon ().
    2. Select Attribute Sources. The window displays the current list of available Sources.
    3. Click New Sources
    4. In the General Details section:
      • Enter the Source Name.
      • In the Source Type, select Main, Aux, or Context. For more information, see Understanding Source Types.
      • In the Logo URL field, enter the URL of the logo you wish to appear next to the Identity Source in the Identity Workspace (optional). The logo will then appear next to the Source as well as next to the Attributes mapped to that Source.
    5. If defining a Main Source, click the Validate user slider to enable the Platform to validate the user. If all of the Attributes are sent in the Request, there is no need to validate the user existence in the External Source. However, if the Validate user option is enabled, the user will need to be validated in the External Source regardless of what was (or was not) sent in the Request. By default, this is set to Off (user not validated).
    6. When you select AUX or Context in the Source Type, you can define the following in the Source Details section:
      1. In the Policy Authorization Group field, if no other sources are available, select the Policy Authorization Group through which the Identity Source data is sent. If a source is available, this field is view only.
      2. In the Source View field, select which View which will be used as a Source for this Asset Type. Note this field is required. Once you select a PAA, the available Views for the selected PAA appear in a drop-down menu. If you later edit the Source and change the View, all correlations in the Mapping are removed.
      3. In the Cache Duration field, set how long the Identity Attributes from this Source are cached (in seconds). The default value is 0 seconds. For more information, see Caching Options.
    7. In the Correlation Rules dropdowns, select a PlainID Attribute and Source Attribute.
    8. To filter Context Sources in the Request section fields, define the Source and Request Attribute fields. These fields are required. 
      1. Inputting an Attribute Mapper is optional. If no mapper is defined, the Request Attribute is required to be in the request body under the contextData section, which is used when calling the Context Source.
      2. This mapper  allows you to specify a Mapper used to fetch the Context request value to use. See the example in the Request Explanation section for more information. If utilized, ensure that the correct JSONPath syntax is used.
    9. Click Create

    The Source is added to the Source List. 

    Extracting your SourceID

    To extract your sourceID:

    1. Navigate to the Identity Workspace Settings.
    2. Select the Attribute Sources tile.
    3. In the Source List, select the relevant Source
    4. Copy the sourceID from the General Details section.

    Request Explanation

    The Source Attribute is the field in the External Data Source that should match the Request Attribute value, which is either sent in the request or fetched by an Attribute Mapper is specified.

    Request Attributes values can be sent in the Authorization request or dynamically fetched using an Attribute Mapper.
    For example, if you want to fetch the Request Attribute from a specific JWT, you would input the relevant Request Attribute to extract from the JSONPath in the Attribute Mapper.

    Note: There is a limit of 25 Context Request Attributes per Identity Workspace.


    Mapping Section

    In the Mapping section, you can map the PlainID Attribute to the Correlation Attribute. You are not obligated to map all the available Attributes. Instead, you can map only the relevant Attributes that should be presented across in the Authorization Platform or used in user access calculations. 

    • Source Attribute – Select an Attribute from the External Source.
    • PlainID Attribute – Select the Attribute from the Authorization Platform that will be mapped to the Source Attribute.

    Editing an Attribute Source

    To edit an Attribute Source:

    1. In the Identity Workspace, click the Settings icon (). The Identity Workspace Settings screen is displayed with the current list of available Sources.

    2. Click Attribute Sources.

    3. On the top-right, click on Edit.

    4. Save your changes.


    JSONPath Structures and Examples

    JSONPath syntax is used in relevant places like template matching and attribute mapping, and follows these structures:

    For JWTs - $.request.headers.<header-name>.JWT.<claim-name/path>

    For Headers - $.request.headers.<header-name>.<property-name/path>

    Mapper Part

    Description

    $

    The start of a mapper

    request

    Signifies that the mapper is from a request 

    headers

    Signifies that the source of mapper is coming from request headers

    <header-name>

    Header name to use as a source. Header names with dashes are supported without using quotation marks and brackets. 

    JWT (optional)

    Defines if the header contains a JWT or a regular value

    <claim-name> OR <JPath>

    Defines the claim name or path to extract value from.

    In case of a non-JWT header this will define the header value, header property, or header value path to be used to extract value from. Full JSONPath syntax is supported.

    For consistent and reliable JSONPath usage, see the following JWT code snippet examples:

    $.request.headers.Authorization.JWT.iss // Fetches the issuer claim from Authorization JWT 
    $.request.headers.x-user.JWT.user.type // Fetches the type claim under the user from a JWT sent through an x-user header
    
    $.request.headers.Authorization.JWT.sub // Fetches the subject claim from Authorization JWT 
    


    $.request.headers.x-identity.JWT.uid // Fetches the uid claim from x-identity JWT

    JWT headers provide increased flexibility in handling different JWT structures. Using any other headers in a request are also supported for extracting identity attributes.

    Users can also map an Identity Attribute from a header that is not a JWT, by simply removing the JWT as demonstrated in the code snippets:

    $.request.headers.x-user-type // Fetches the value of x-user-type header 
    $.request.headers.x-user.type // Fetches the value of type property of the x-user header


    A shorthand syntax is also supported to allow shortening of the mapper definition:

    $.request.headers.x-user.type // Fetches the value of type property of the x-user header
    $.request.headers.x-user.type // Fetches the value of type property of the x-user header


    Deleting an Identity Source

    To delete a  Source:

    1. In the Identity Workspace, click the Settings icon (). The Identity Workspace Settings screen is displayed with the current list of available Sources.

    2. Click Attribute Sources.

    3. In the Source List, hover over a Source card.

    4. Click the trash can icon that appears on the right side of the Source card.

    Important
    Deleting the Identity Source does not delete the mapped Identity Attributes. They can still be used in a Dynamic Group. 

    Understanding Source Types

    When creating a Source from which Identity data is taken, you have the option of selecting from the following Source Types:

    • Main
    • Aux
    • Context

    About Main Sources

    Each Identity Template is associated with a Main Source (such as LDAP, Active Directory, etc.). The Main Source is the primary source from which the Authorization Platform retrieves identity information. The Main Source is usually defined at setup time, although it can be changed later.

    There can only be one Main Source in a Workspace. Once this option has been assigned to a Source, it will be disabled for any additional Sources you wish to configure. The Main Source (or Main Store) is the primary Source from which the Platform retrieves Identity information. The Main Source type can be External or Identity Data can be taken from the Request

    In the Attribute Sources tab, you can define a Main Source that pulls information from an External Source.

    About AUX Sources

    In addition to the Main Source, you can also configure an Auxiliary Source (AUX). While the Main Source is assumed to contain the main Attributes (for example, UserID, First Name, Last Name, Title, and Department), the AUX Source might contain other relevant information required for the organization's policies. 

    When configuring the AUX Source, you must set the Correlation Attribute. This is an Attribute shared by both the Main Source and the AUX Source and is used by the Authorization Platform to match the user in the Main Source with the same User in the AUX Source (for example, if they both have the same UserID, it is assumed these two references point to the same user).

    Consider a case in which an Access Policy is based on whether the employee is working remotely or from the office. The Policy determines that employees working in the QA Department only have access to the QA server when they are physically located in corporate headquarters. When a user attempts to log into the QA server, using the UserID as the Correlation Attribute, the Authorization Platform checks the Main Identity Store to determine if the user works in QA and the AUX store to determine whether they are logging in from the office.

    About Context Sources

    In some cases, certain Identity Attributes may have different values (for the same Identity) depending on the context in which the access request is being made. Context Sources enable the Authorization Platform to evaluate the value of the Attribute based on the context. 

    For example, you may want to provide access for certain users with Employee rights in one Environment, but Manager rights in another. You can set up a Context Source for the Attribute User_Role that will return a value of Employee or Manager depending on the Environment from which the Request was made.


    Was this article helpful?