Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Storing an Attribute in a Separate Property

You can store a user or group attribute in a separate User-Defined property for logging and other purposes.

When a query for an attribute of a user or user group is performed in a directory on an LDAP server, the resulting information is stored on Web Gateway as the value of the Authentication.UserGroups property.

If you are interested in a particular piece of information, for example, the email address of a user, you can also retrieve it separately and store it in a User-Defined property.

For this purpose, you must create an additional rule, as well as additional settings named, for example, LDAP Email Lookup, for the Authentication module (engine). In this rule, the Authentication module runs with the additional settings to retrieve the information that is stored within the entry for a user as the value of the email attribute.

Options must be especially configured in the additional settings as follows:

  • Get user attributes must be enabled.
  • The User attributes to retrieve list must contain a single entry for the email attribute. When an Active Directory is running on the LDAP server, the attribute name is mail.
  • Map user to DN must be disabled.
    Not disabling the option produces an error, as the user name has already been mapped when the Authentication module was running with the LDAP settings to authenticate the user.

All other options can be configured in the same way as the settings within the rule that authenticates the user.

The complete rule should look as follows:

Get email information and store separately
Criteria                                                  Action         Event
Authentication.IsAuthenticated equals true AND         –> Continue       Set User-Defined.Email=
Authentlcation.GetUserGroups                                             List.OfString.ToString
<LDAP_Email_:Lookup> does not contain "no-group".                        (Authentication.UserGroups," ")

The rule must be added to the rule set for LDAP authentication and placed after the rule that authenticates the user.

  • Was this article helpful?