The LDAP Attribute condition allows you to restrict access based on a value in an LDAP attribute defined for the inetOrgPerson class or any other LDAP attribute you have added. You can have the user’s attribute value retrieved from your LDAP directory and compared to a value of the following type:
Roles from an identity provider
Date and time and its various elements
URL and its various elements
IP address
Authentication contract
Credential profile
HTTP request method
Static value in a data entry field
This condition is one of the slower conditions to process because the value needs to be retrieved from the LDAP server. If the value is not time sensitive, you can have attribute value sent in the assertion when the user authenticates. Its value is then in cache and available. For configuration information, on the Home page, click Applications > Select a Cluster > New Application or [application name] > SAML v2.0 Identity Provider.
To set up the matching for this condition, specify the following details:
LDAP Attribute: Specify the LDAP attribute you want to use in the comparison. Select from the listed LDAP attributes. To add an attribute that isn’t in the list, scroll to the bottom of the list, click New LDAP Attribute, then specify the name of the attribute.
Refresh Data Every: Sends a query to the LDAP server to verify the current value of the attribute according to the specified interval. Because querying the LDAP server slows down the processing of a policy, LDAP attribute values are normally cached after the value has been obtained. The default cache interval is for the user session. You must change the value of this option from Session to a more frequent interval only on those attributes that are critical to the security of your system or to the design of your work flow.
You can select to cache the value for the session, for the request, or for a time interval varying from 5 seconds to 60 minutes. For more information about this option, see Using the Refresh Data Option.
Comparison: Specify how you want the values compared. All data types are available. Select one of the following that matches the value type of your attribute:
Date: Specifies that you want the values compared as dates. Select one of the following date operators:
Equals: Indicates that the current date must be equal to the specified value.
Greater Than: Indicates that the current date be after the specified value.
Greater Than or Equal to: Indicates that the current date be after or equal to the specified value.
Less Than: Indicates that the current date be before the specified value.
Less Than or Equal to: Indicates that the current date be before or equal to the specified value.
Day of Week: Specifies that you want the values compared as a day of the week. Select one of the following operators:
Equals: Allows you to specify a day that the specified value must match.
In Range: Allows you to specify a range of days that the specified value must fall within, for example, Monday to Friday.
Day of Month: Specifies that you want the values compared as a day of the month. Select one of the following operators:
Equals: Allows you to specify a day that the specified value must match.
In Range: Allows you to specify a range of days that the specified value must fall within.
Integer: Specifies that you want the values compared as integers. Select one of the following:
Equals: Indicates that the integer value must be equal to the specified value.
Greater Than: Indicates that the integer value must be greater than the specified value.
Greater Than or Equal to: Indicates that the integer value must be greater than or equal to the specified value.
Less Than: Indicates that the integer value is less than the specified value.
Less Than or Equal to: Indicates that the integer value is less than or equal to the specified value.
IP: Specifies that you want the values compared as IP addresses. Select one of the following:
Equals: Allows you to specify an IP address that the specified value must match. You can specify more than one.
In Range: Allows you to specify a range of IP addresses that the specified value must fall within. You can specify more than one range.
In Subnet: Allows you to specify the subnet that the specified value must belong to. You can specify more than one subnet.
LDAP OU: Contains: Specifies that you want the condition to determine whether the user is contained by a specified organizational unit.
Attribute: Does Exist? Specifies that you want the condition to determine whether the user has an LDAP attribute. This is a unary condition.
Regular Expression: Matches: Specifies that you want the values compared as regular expressions.
String: Specifies that you want the values compared as strings and how you want the string values to be compared. Select one of the following:
Equals: Indicates that the values must match, letter for letter.
Starts with: Indicates that the attribute value must begin with the letters specified in the Value field.
Ends with: Indicates that the attribute value must end with the letters specified in the Value field.
Contains Substring: Indicates that the attribute value must contain the letters, in the same sequence, as specified in the Value field.
Time: Specifies that you want the values compared as time. Select one of the following:
Greater Than: Indicates that the current time is greater than the specified value.
Greater Than or Equal to: Indicates that the current time is greater than or equal to the specified value.
Less Than: Indicates that the current time is less than the specified value.
Less Than or Equal to: Indicates that the current time is less than or equal to the specified value.
In Range: Indicates that the current time must fall within the specified range, such as 08:00 and 17:00.
URL: Equals: Specifies that you want the values compared as URLs.
URL Scheme: Specifies that you want the values compared as scheme strings and how you want the values compared. Select one of the following:
Equals: Indicates that the URL scheme must contain the same letters, in the same order as specified in the value.
Starts with: Indicates that the URL scheme must begin with the letters specified in the value.
Ends with: Indicates that the URL scheme must end with the letters specified in the value.
Contains Substring: Indicates that the URL scheme must contain the letters, in the same sequence, as specified in the value.
URL Host: Equals: Specifies that you want the values compared as hostnames.
URL Path: Specifies that you want the values compared as paths and how you want the string values compared. Select one of the following:
Equals: Indicates that the URL path must contain the same letters, in the same order as specified in the value.
Starts with: Indicates that the URL path must begin with the letters specified in the value.
Ends with: Indicates that the URL path must end with the letters specified in the value.
Contains SUbstring: Indicates that the URL path must contain the letters, in the same sequence, as specified in the Value field.
URL File: Specifies that you want the values compared as filenames and how you want the names compared. Select one of the following:
Equals: Indicates that the filenames must contain the same letters, in the same order as specified in the value.
Starts with: Indicates that the filenames must begin with the letters specified in the value.
Ends with: Indicates that the filenames must end with the letters specified in the value.
Contains Substring: Indicates that the filenames must contain the letters, in the same sequence, as specified in the Value field.
URL File Extension: Specifies that you want the values compared as file extensions and how you want the file extensions compared. Select one of the following:
Equals: Indicates that the file extensions must contain the same letters, in the same order as specified in the value.
Starts with: Indicates that the file extensions must begin with the letters specified in the value.
Ends with: Indicates that the file extensions must end with the letters specified in the value.
Contains Substring: Indicates that the file extensions must contain the letters, in the same sequence, as specified in the Value field.
Mode: Select the mode, if available, that matches the comparison type. For example, if you select to compare the values as strings, you can select either a Case Sensitive mode or a Case Insensitive mode.
Value: Specify the second value for the comparison. All data types are available. For example, you can select to compare the value of one LDAP attribute to the value of another LDAP attribute. Only you can determine if such a comparison is meaningful.
Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.