LDSTechForumProjects

SSO Injected Headers

When an application integrates with SSO it is placed behind a policy enforcement point (PEP) known as an agent or web-gate through which all http traffic to that application will travel. The web-gate is configured to inject headers on inbound requests for consumption by the application. Such headers are always scrubbed by the web-gate meaning that if a header already exists by that name on the incoming request it is removed.

The headers fall into two categories: those that are SSO environment specific and always injected for all traffic and those that are specific to an application and are only injected for traffic bound for that applicatoin. The current set SSO specific headers are listed below. Those are followed by the headers used in Member/Leader applications. Of these latter headers, several are used in the SSO Environment Simulator's evaluation of policy condition syntax.

Unrecognized Headers

As of v5.10 the Simulator's Users and Sessions tab highlights headers being injected that do not match those defined in this page as shown in the following image. (Click to view the full scale image.)

Image
Invalid Headers Highlighted

SSO Specific Headers

policy-access-service

This header is deprecated and will not be available in the OAM/OES environment.


policy-service-url

This header empowers applications running in the church SSO environment and behind the simulator by conveying to them the location of the fine grained permissions rest service.

Source Access Server
Replaces did not change
Format An absolute URL like http://dev.oes.ldschurch.org:8000/wam/oes/{version}/rest/. As of version 5.12 of the simulator and version CD-OESv1-1.9 of Clientlib4J this has an embedded macro of "{version}" that clientlib replaces with the version number of the REST interface that it knows how to talk to.
Description The URI for the SSM ReST service.
Simulator Prior to version 5.17 of the SSO Environment Simulator this header was injected with an <sso-header> directive as a general-header. Version 5.17+ automatically injects the value to point to an instance of the rest service implemented by the simulator. As of 5.23+ the host and port used for the auto-generated header value can be adjusted via the <cctx-mapping> directive's policy-service-url-gateway attribute.

policy-signin

Source Access Server
Replaces NEW
Format signmein
Description The query string parameter that should be added to a request to force login.
Simulator v5.8+ When simulating the SSO environment with the SSO Environment Simulator this header is injected automatically as a general header. When a request is seen with the value of this header as an empty-value query parameter in a session-less state, that request is redirected to the simulator sign-in page. Once authenticated, then the user agent is redirected back to the original request including the signmein query param. But since a session is had then this time the request passes through. See Developing SSO Protected Applications for more detail.

policy-signout

Source Access Server
Replaces NEW
Format signmeout
Description The query string parameter that should be added to a request to force logout.
Simulator v5.8+ When simulating the SSO environment with the SSO Environment Simulator this header is injected automatically as a general header. When a request is seen with the value of this header as an empty-value query parameter in a session-active state, that session is terminated and the request is redirected back to the same request in such a way that it clears the session cookie in the process. Once the request passes back through the simulator and a session-less state the parameter is ignored and the request passes through regular processing. See Developing SSO Protected Applications for more detail.

policy-status

This header is no longer provided.


Example Application Headers

The headers listed below are typical of the headers consumed by the Next-Gen Member/Leader applications. These are only provided as a sample. Although the simulator allows for developers to inject whatever headers they desire during application development, such headers must be requested, have approval granted, and potentially require some programming effort by the SSO team to make the data available to the SSO environment before the headers will ever appear for the application. Therefore, don't leave such dependencies until the last phase of application development. Investigate your options early.

policy-country

Source Gathered from the user for non-employees or from the church HR system for employees.
Replaces n/a
Format Country three character ISO abbreviation. ex: USA
Description The country of the user.
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-cn

Source Identity Vault
Replaces did not change
Format userid
Description The common name of the user which would correspond to their sign-in username.
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-dn

Source Identity Vault
Replaces did not change
Format cn=userid,ou=ext,ou-people,o=lds
Description The full LDAP context of the user in lds account.
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-givenname

Source Identity Vault
Replaces policy-given-name
Format Firstname
Description the givenname attribute of a user from their lds account profile.
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-gender

Source CMIS
Replaces did not change
Format M or F
Description the gender of the user.
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-ldsaccountid

Source Identity Vault
Replaces policy-lds-account-id
Format NNNNNNNNNNNNNNNN
Description The unique lds account identifier for the user.
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-ldsbdate

Source CMIS
Replaces policy-birthdate
Format YYYY-MM-DD or whatever is returned from CMIS.
Description If the date from CMIS contains fewer than 8 characters then the header will contain whatever was received from CMIS. If the date had 8 characters, then we try and format it to a date format.
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-ldsemailaddress

Source LDS Profile
Replaces policy-email
Format Null (if attribute not found in directory)
Description corresponds to lds account's ldsEmailAddress attribute for a person which is not the workforce account but the email address identified by the user to be used for correspondence.
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-ldsemailaddress2

Source LDS Account Personal Email Address - Alternate
Replaces n/a
Format Null (if attribute not found in directory)
Description The alternate email address entered via a user's LDS Account profile.
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-ldswdemailaddress

Source LDS Profile (Is this correct?)
Replaces n/a
Format Null (if attribute not found in directory)
Description a member's ward or branch email address
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-ldswdemailaddressdisplay

Source LDS Profile (Is this correct?)
Replaces n/a
Format Null (if attribute not found in directory)
Description indicates of the member's ward or branch email address should be displayed or not
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-ldsindividualid

Source CMIS
Replaces policy-individual-id
Format NNNNNNNNNNNNNNNN
Description The lds individual identifier of the user representative of the lds mrn value but safe to use in a web environment whereas the lds mrn should not be exposed on the internet.
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-ldsmrn

Source CMIS
Replaces policy-lds-mrn
Format NNNNNNNNNNNNNNNN
Description The lds member record number of the user. Will be included for non-member accounts but its value will be an empty value.
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-ldspositions

Source CDOL
Replaces policy-positions
Format Will be empty if the person has no positions or
“p” + <Position ID> + "/" + <Unit Type ID> + ”u” + <Unit ID of position> + "/" + <Unit Type ID> + ”u” + <Containing Unit ID> + ... + "/" + <Unit Type ID> + ”u” + <Highest Containing Unit ID> + "/".

Multiple values are delineated by a colon.
Example: single value = p4/7u118989/5u923492/1u234098/
Example: multiple valued = p4/7u118989/5u923492/1u234098/:p1/5u923492/1u234098/
Note also that the left most unit is indicative of the direct unit in which the position is held. In this multivalued example the user is a bishop (p4) in ward (7u118989) and a stake president (p1) in stake (5u923492).

Description An encoded string indicating the positions, if any, held by a user and the unit of such positions and the containing units of that unit.
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-ldsunits

Source CMIS/CDOL
Replaces policy-units
Format Null (if attribute not found in directory) or /Unit Type ID”u”Unit ID/Unit Type ID”u”Unit ID /Unit Type ID”u”Unit ID/Unit Type ID”u”Unit ID

Example: /7u118989/5u923492/1u234098/

Description The list of unit identifiers of the user showing in which units they reside and reflecting the containment hierarchy of those units if they have a member record number (MRN).
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-preferredlanguage

Source LDS Profile
Replaces policy-preferred-language
Format Two character language code.
Description The preferredLanguage attribute of a user from their lds account profile.
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-preferredname

Source LDS Profile
Replaces policy-preferred-name
Format Firstname Lastname
Description the preferredName attribute of a user from their lds account profile.
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

policy-sn

Source Identity Vault
Replaces did not change
Format Lastname
Description the sn (surname) attribute of a user from their lds account profile.
Simulator When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.

Previous: Developing SSO Protected Applications

This page was last modified on 15 June 2011, at 15:54.

Note: Content found in this wiki may not always reflect official Church information. See Terms of Use.