When an application integrates with SSO it is placed behind a policy enforcement point (PEP) known as an agent or web-gate through which all http traffic to that application will travel. The web-gate is configured to inject headers on inbound requests for consumption by the application. Such headers are always scrubbed by the web-gate meaning that if a header already exists by that name on the incoming request it is removed.
The headers fall into two categories: those that are SSO environment specific and always injected for all traffic and those that are specific to an application and are only injected for traffic bound for that applicatoin. The current set SSO specific headers are listed below. Those are followed by the headers used in Member/Leader applications. Of these latter headers, several are used in the SSO Environment Simulator's evaluation of policy condition syntax.
As of v5.10 the Simulator's Users and Sessions tab highlights headers being injected that do not match those defined in this page as shown in the following image. (Click to view the full scale image.)
Image
|
Invalid Headers Highlighted
|
policy-access-service
This header is deprecated and will not be available in the OAM/OES environment.
policy-service-url
This header empowers applications running in the church SSO environment and behind the simulator by conveying to them the location of the fine grained permissions rest service.
Source |
Access Server
|
Replaces |
did not change
|
Format |
An absolute URL like http://dev.oes.ldschurch.org:8000/wam/oes/{version}/rest/. As of version 5.12 of the simulator and version CD-OESv1-1.9 of Clientlib4J this has an embedded macro of "{version}" that clientlib replaces with the version number of the REST interface that it knows how to talk to.
|
Description |
The URI for the SSM ReST service.
|
Simulator |
Prior to version 5.17 of the SSO Environment Simulator this header was injected with an <sso-header> directive as a general-header. Version 5.17+ automatically injects the value to point to an instance of the rest service implemented by the simulator. As of 5.23+ the host and port used for the auto-generated header value can be adjusted via the <cctx-mapping> directive's policy-service-url-gateway attribute.
|
policy-signin
Source |
Access Server
|
Replaces |
NEW
|
Format |
signmein
|
Description |
The query string parameter that should be added to a request to force login.
|
Simulator v5.8+ |
When simulating the SSO environment with the SSO Environment Simulator this header is injected automatically as a general header. When a request is seen with the value of this header as an empty-value query parameter in a session-less state, that request is redirected to the simulator sign-in page. Once authenticated, then the user agent is redirected back to the original request including the signmein query param. But since a session is had then this time the request passes through. See Developing SSO Protected Applications for more detail.
|
policy-signout
Source |
Access Server
|
Replaces |
NEW
|
Format |
signmeout
|
Description |
The query string parameter that should be added to a request to force logout.
|
Simulator v5.8+ |
When simulating the SSO environment with the SSO Environment Simulator this header is injected automatically as a general header. When a request is seen with the value of this header as an empty-value query parameter in a session-active state, that session is terminated and the request is redirected back to the same request in such a way that it clears the session cookie in the process. Once the request passes back through the simulator and a session-less state the parameter is ignored and the request passes through regular processing. See Developing SSO Protected Applications for more detail.
|
policy-status
This header is no longer provided.
The headers listed below are typical of the headers consumed by the Next-Gen Member/Leader applications. These are only provided as a sample. Although the simulator allows for developers to inject whatever headers they desire during application development, such headers must be requested, have approval granted, and potentially require some programming effort by the SSO team to make the data available to the SSO environment before the headers will ever appear for the application. Therefore, don't leave such dependencies until the last phase of application development. Investigate your options early.
policy-country
Source |
Gathered from the user for non-employees or from the church HR system for employees.
|
Replaces |
n/a
|
Format |
Country three character ISO abbreviation. ex: USA
|
Description |
The country of the user.
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-cn
Source |
Identity Vault
|
Replaces |
did not change
|
Format |
userid
|
Description |
The common name of the user which would correspond to their sign-in username.
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-dn
Source |
Identity Vault
|
Replaces |
did not change
|
Format |
cn=userid,ou=ext,ou-people,o=lds
|
Description |
The full LDAP context of the user in lds account.
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-givenname
Source |
Identity Vault
|
Replaces |
policy-given-name
|
Format |
Firstname
|
Description |
the givenname attribute of a user from their lds account profile.
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-gender
Source |
CMIS
|
Replaces |
did not change
|
Format |
M or F
|
Description |
the gender of the user.
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-ldsaccountid
Source |
Identity Vault
|
Replaces |
policy-lds-account-id
|
Format |
NNNNNNNNNNNNNNNN
|
Description |
The unique lds account identifier for the user.
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-ldsbdate
Source |
CMIS
|
Replaces |
policy-birthdate
|
Format |
YYYY-MM-DD or whatever is returned from CMIS.
|
Description |
If the date from CMIS contains fewer than 8 characters then the header will contain whatever was received from CMIS. If the date had 8 characters, then we try and format it to a date format.
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-ldsemailaddress
Source |
LDS Profile
|
Replaces |
policy-email
|
Format |
Null (if attribute not found in directory)
|
Description |
corresponds to lds account's ldsEmailAddress attribute for a person which is not the workforce account but the email address identified by the user to be used for correspondence.
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-ldsemailaddress2
Source |
LDS Account Personal Email Address - Alternate
|
Replaces |
n/a
|
Format |
Null (if attribute not found in directory)
|
Description |
The alternate email address entered via a user's LDS Account profile.
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-ldswdemailaddress
Source |
LDS Profile (Is this correct?)
|
Replaces |
n/a
|
Format |
Null (if attribute not found in directory)
|
Description |
a member's ward or branch email address
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-ldswdemailaddressdisplay
Source |
LDS Profile (Is this correct?)
|
Replaces |
n/a
|
Format |
Null (if attribute not found in directory)
|
Description |
indicates of the member's ward or branch email address should be displayed or not
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-ldsindividualid
Source |
CMIS
|
Replaces |
policy-individual-id
|
Format |
NNNNNNNNNNNNNNNN
|
Description |
The lds individual identifier of the user representative of the lds mrn value but safe to use in a web environment whereas the lds mrn should not be exposed on the internet.
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-ldsmrn
Source |
CMIS
|
Replaces |
policy-lds-mrn
|
Format |
NNNNNNNNNNNNNNNN
|
Description |
The lds member record number of the user. Will be included for non-member accounts but its value will be an empty value.
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-ldspositions
Source |
CDOL
|
Replaces |
policy-positions
|
Format |
Will be empty if the person has no positions or “p” + <Position ID> + "/" + <Unit Type ID> + ”u” + <Unit ID of position> + "/" + <Unit Type ID> + ”u” + <Containing Unit ID> + ... + "/" + <Unit Type ID> + ”u” + <Highest Containing Unit ID> + "/".
Multiple values are delineated by a colon.
Example: single value = p4/7u118989/5u923492/1u234098/
Example: multiple valued = p4/7u118989/5u923492/1u234098/:p1/5u923492/1u234098/
Note also that the left most unit is indicative of the direct unit in which the position is held. In this multivalued example the user is a bishop (p4) in ward (7u118989) and a stake president (p1) in stake (5u923492).
|
Description |
An encoded string indicating the positions, if any, held by a user and the unit of such positions and the containing units of that unit.
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-ldsunits
Source |
CMIS/CDOL
|
Replaces |
policy-units
|
Format |
Null (if attribute not found in directory) or /Unit Type ID”u”Unit ID/Unit Type ID”u”Unit ID /Unit Type ID”u”Unit ID/Unit Type ID”u”Unit ID
Example: /7u118989/5u923492/1u234098/
|
Description |
The list of unit identifiers of the user showing in which units they reside and reflecting the containment hierarchy of those units if they have a member record number (MRN).
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-preferredlanguage
Source |
LDS Profile
|
Replaces |
policy-preferred-language
|
Format |
Two character language code.
|
Description |
The preferredLanguage attribute of a user from their lds account profile.
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-preferredname
Source |
LDS Profile
|
Replaces |
policy-preferred-name
|
Format |
Firstname Lastname
|
Description |
the preferredName attribute of a user from their lds account profile.
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
policy-sn
Source |
Identity Vault
|
Replaces |
did not change
|
Format |
Lastname
|
Description |
the sn (surname) attribute of a user from their lds account profile.
|
Simulator |
When simulating the SSO environment with the SSO Environment Simulator this header is injected with an <sso-header> directive as a user-header.
|
Previous: Developing SSO Protected Applications