Creating the Identity Injection Policy for a Custom Header

The following policy injects the user’s roles and DN into a custom header. The index.php page reads this information and uses it to display the user’s name. If the user is assigned the sales_role, Sales System is displayed on the main page.

  1. Click Devices > Access Gateways, then click Edit > DAL > Dallistener > Protected Resources > everything.

  2. Click Identity Injection > Manage Policies.

  3. In the Policy List section, click New, then fill in the following:

    Name: Specify Custom_Injection.

    Type: Select Access Gateway: Identity Injection.

  4. In the Actions section, click New > Inject into Custom Header.

  5. To inject the user’s name, fill in the following values:

    Custom Header Name: Specify X-Name.

    Value: Select Credential Profile. The LDAP Credentials: LDAP User Name is selected automatically for you.

  6. To inject the user’s roles, click New > Inject into Custom Header, then fill in the following values for the second custom header:

    Custom Header Name: Specify X-Role.

    Value: Select Roles.

    Your policy must look similar to the following:

  7. Click OK twice, then click Apply Changes.

  8. Click Close.

  9. In the Identity Injection Policy List section, select Custom_Injection, then click Enable.

  10. Click OK.

  11. Click Devices > Access Gateways, then click Update > OK.

  12. To test Tom’s access rights, complete the following steps:

    1. Open a new browser, then enter the URL of the Digital Airlines website you created.

      In this example, it is am3bc.provo.novell.com.

    2. When prompted for user ID and password from Access Manager, log in with Tom’s credentials.

      The page appears with a Welcome: Tom message at the top, and Sales System appears in the lower right corner of the page.

      Access 1 or 2 and authenticate the users Tom and admin using common password novell.

    3. Click Sales System, and the Sales page appears.

      If the Sales System does not appear, Tom was not assigned the sales_role:

      • Verify that the role policy is enabled for Identity Server by clicking Policies > Policies, and confirm that Identity Server is listed in the Used By column for the policy.

      • On the Policies page, confirm that Access Gateway is listed in the Used By column for the Identity Injection policy.

      • Discover whether there was an error in the Role policy evaluation. Click Auditing > General Logging and download the catalina.out file for Identity Server. Search for the name of the role policy and determine whether the role was successfully assigned.

      • Determine whether there was an error in Identity Injection policy evaluation. Click Auditing > General Logging and download the catalina.out file for Access Gateway. Search for the name of the Identity Injection policy and determine whether its values were successfully injected.

      For more information about troubleshooting policies, see Section 33.6, Troubleshooting Access Manager Policies.

    4. Close all sessions of the browser.

  13. To test that the sales_role is required for the Sales System to appear, complete the following steps:

    1. Open a new browser, then enter the URL of the Digital Airlines website you created.

      In this example, it is am3bc.provo.novell.com.

    2. Log in as the admin user. The page must have a Welcome: admin at the top of the page, but Sales System must not appear.

    3. To the URL, add /sales, and the Sales page appears.

      This illustrates that although the link is hidden, the Sales page is not protected.

    4. Close all sessions of the browser.

  14. Continue with Assigning an Authorization Policy to Protect a Resource.