LDAPWiki: Identity Injection Process

Overivew#

Identity injection is one of the features of NAM that enable the NAM administrator to provide single sign-on for A&F users. When the policy is configured correctly, the user is unaware that additional information is required to access the Web server. Identity injection allows the addition of information to the URL, or to the HTML page, before it is posted to the Web server. The Web server uses this information to determine whether the user should have access to the resource, or perhaps what to display to the user. This means that it is the Web server that determines the information that is required to allow access to the resource.

Note:* Identity injection policies allow you to inject the user's password into the HTTP header. If you set up such a policy, you should also configure the LAG to use SSL between itself and the back-end Web server. This is the only way to ensure that the password is encrypted on the wire throughout the entire authentication process.

Identity Injection policies, like all policies, are available to any proxy service on the LAG. As a general rule, a policy is created for each application, but this does not mean a policy cannot be used for multiple applications. Bear this in mind when creating and/or naming a policy.

Before you can create an Identity injection policy you will need to acquire the types of information used by the application and how the application processes this information. Use the Identity Injection process diagram as a guide to help you create the policy.

There are two key benefits to using an Identity Injection policy:

Application developers do not have to create a login page
Application developers do not have to create a user identity store

An Identity Injection policy creates a seamless link between the LAG and the proxied application. With an Identity injection policy, the LAG *is* the login page and the Identity Data Store for the application. In most instances, the user need only to successfully authenticate to the LAG; Once authenticated, the LAG can forward any information required by the application on behalf of the user. Credentials such as any LDAP attribute or X509 certificate or a SAML assertion can be used. This creates a secure access point for the application due to the fact the user is unaware of what is required for proper application access.!! More Information There might be more information for this subject on one of the following:

NAM Configuration Notes