SECURITY SERVER VARIABLES

REFERENCE GUIDE
 Sign&go

Contact
ILEX
51 boulevard Voltaire
92600 Asnières-sur-Seine
Telephone: +33 1 46 88 03 40
Fax: +33 1 46 88 03 41

[email protected]
www.ilex-international.com

Legal Information
Sign&go is a registered trademark of Ilex. All other trademarks mentioned in this document are the
property of their respective owners.
This document is provided for information purposes only. Ilex provides no guarantee nor accepts any
liability for the information contained in this document. All information and data in this document may
be modified at any time without prior notice.
In accordance with article L. 122-4 of the Code de la Propriété Intellectuelle (French intellectual
property law), any full or partial reproduction, representation or distribution of this document by any
means whatsoever, without the express permission of Ilex, is prohibited and constitutes a breach of
the law that can result in prosecution under Articles L 335 - 2 and subsequent articles of the Code de
la Propriété Intellectuelle (French intellectual property law).

Copyright Ilex 2015. All rights reserved.

Ilex Security Server Variables Reference Guide Page 2/25

 Sign&go

TAB LE OF C ONT EN TS

TABLE OF CONTENTS ....................................................................................... 3

1 FOREWORD ................................................................................................ 5
2 USING SIGN&GO VARIABLES ........................................................................ 6
2.1 Introduction ........................................................................................................... 6
2.2 Usage within parameters ..................................................................................... 6
2.3 Usage within scripts ............................................................................................. 7
3 VARIABLES PROVIDED BY THE AGENTS .......................................................... 8
3.1 HTTP headers........................................................................................................ 8
3.2 HTTPS information ............................................................................................... 9
3.3 Information about the request ........................................................................... 10
3.4 Information on access typology ........................................................................ 10
4 SIGN&GO TOKEN VARIABLES ...................................................................... 12
4.1 Configuration ...................................................................................................... 12
4.2 Authentication of the user ................................................................................. 12
4.3 Token application parameters ........................................................................... 13
5 VARIABLES UPDATED DURING THE AUTHORISATION PHASE ............................ 14
5.1 Variables relating to the security policy ........................................................... 14
5.2 Authentication zone application variables ....................................................... 14
5.3 Security policy application variables ................................................................ 15
6 VARIABLES UPDATED DURING THE AUTHENTICATION PHASE........................... 17
6.1 Anonymous ......................................................................................................... 17
6.2 Trusted ................................................................................................................ 17
6.3 Identifier - password........................................................................................... 17
6.4 Example utilisation of authentication session variables ................................. 17
6.5 Basic HTTP .......................................................................................................... 18
6.6 Kerberos .............................................................................................................. 18
6.7 NTLM .................................................................................................................... 19
6.8 Radius .................................................................................................................. 19
6.9 RSA SecurID........................................................................................................ 19
6.10 CPS Card .......................................................................................................... 19
7 SECURITY SERVER VARIABLES.................................................................... 21

Ilex Security Server Variables Reference Guide Page 3/25

 Sign&go

7.1 Session variables ............................................................................................... 21

7.2 Example utilisation of session variables ........................................................... 22
7.3 Application variables.......................................................................................... 22
7.4 Dynamic variables .............................................................................................. 23

Ilex Security Server Variables Reference Guide Page 4/25

 Sign&go

1 FOREWORD
This document presents an exhaustive list of the variables available in the Sign&go security server.
Sign&go administrators should read this document in order to familiarise themselves with the various
Sign&go variables and the significance of their content.
In order to get the most from this document, the reader should consult the following Sign&go
documentation

Document Description
Sign&go Architecture Guide This guide presents the various architectures that can be
implemented with Sign&go. It also describes the internal
operation of the product in addition to the basic steps involved
in its administration.

Sign&go Administration and Contextual help for Sign&go administration.

Configuration online help

Ilex Security Server Variables Reference Guide Page 5/25

 Sign&go

2 USING SIGN&GO VARIABLES

2.1 Introduction
In order to enable dynamic evaluation of the various Sign&go security policies, the Sign&go security
server provides administrators with a large amount of information in the form of variables. During
configuration of Sign&go, parameters can be defined with these Sign&go variables instead of using
static values.
These variables are evaluated dynamically and contain all the information concerning the transaction
currently being processed by the security server.
The following information is directly available in the form of variables:
The request presented by the agent,
All of the information concerning the current user,
The security server environment,
Information emanating from the authentication that was carried out,
…

2.2 Usage within parameters

In order to make use of the variables within the Sign&go administration, they must be delimited with
${…}. For example, the variable ${RESOURCE.URL} provides the URL that the user is attempting to
access.

Ilex Security Server Variables Reference Guide Page 6/25

 Sign&go

In the preceding configuration, the behaviour redirects the non authenticated user to the URL
http://www.acme.com/auth/login.jsp, and provides the initial URL that the user tried to access as a
parameter.

2.3 Usage within scripts

Variables can be evaluated using the scripting language:
The request.applyPatchs() statement enables the substitution of variables within a string. This
method is useful when operating on a character string containing one or more Sign&go variables.
The request.applyPatchsURLEncoded() statement enables the substitution of variables in the form
of an encoded URL within a character string.
The following behaviour script redirects the user to a login URL in the same way as the previous
example:

var request = behavior.getRequest();

var response = behavior.getResponse() ;
var url =
request.applyPatchsURLEncoded(« http://www.acme.com/auth/login.jsp?sourceUR
L=${RESOURCE.URL} »);
response.setRedirect(url);

The request.getContextValue() statement evaluates the Sign&go variables. It can be used as an

alternative to calling the methods directly and enables the information obtained from the APIs to be
used within the script.
For example, the following script retrieves the username from the TOKEN.LOGIN variable.

var request = behavior.getRequest();

var login = request.getContextValue(« TOKEN.LOGIN »);

Note

The username can also be retrieved with the aid of the token.getLogin() statement; the token
object symbolising the user identity retrieved from the request with the aid of the
request.getToken() statement.

Ilex Security Server Variables Reference Guide Page 7/25

 Sign&go

3 VARIABLES PROVIDED BY THE AGENTS

Sign&go agents provide the security server with information concerning the intercepted request. This
information is available via the following variables.

3.1 HTTP headers

Variable Description

HTTPHDR.<HEADER NAME> All of the HTTP headers within the requests are transmitted in
the form of variables having a dot-notation:
HTTPHDR.<HEADER NAME>. For example, the name of the
Web server to be reached is available in the variable
HTTPHDR.HOST.
If the HTTP header is not present in the request, the variable
is not populated.
The names and signification of the different headers are
specified by the HTTP protocol.
Below is a list of the main HTTP headers contained in the
requests.

HTTPHDR.HOST The Web server’s hostname that the client is trying to reach.
This corresponds to the following information within the
entered URL:
Protocol://hostname[ :port]/uri
For example, taking the following URL as an illustration:
http://www.acme.com/index.htm
this variable would contain “www.acme.com”

HTTPHDR.REFERER The URL of the page that the user has come from.

HTTPHDR.USER-AGENT The client browser ID string, for example:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET
CLR 1.1.4322)

HTTPHDR.ACCEPT The type of content accepted by the browser, for example:

image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*

HTTPHDR.ACCEPT-LANGUAGE The languages accepted by the browser, for example:

Fr

HTTPHDR.AUTHORIZATION The user’s credentials if they have been

authenticated using HTTP on a Web server, for example:
BASIC d2VibWFzdGVyOnpycW1hAAA=

HTTPHDR.COOKIE Cookies stored in the browser and presented to the server, for
example:
Val1=03847732 ; cookie2=dummy

Note

Ilex Security Server Variables Reference Guide Page 8/25

 Sign&go

The HTTP protocol can be downloaded from the following address:

http://www.faqs.org/rfcs/rfc2616.html

3.2 HTTPS information

The following variables only contain values if access to the resource is carried out using HTTPS.
When authentication by X509 certificate has been implemented, some of the variables correspond to
the Web server’s certificate, the others to the client browser’s certificate.

Note

Depending on which Web or Reverse Proxy server the agent is installed on, not all of the
following variables will have values defined. Those variables that do always have values
defined are marked with an asterisk (*) in the tables below.

In some cases, the same information will be stored in two different variables.

Variable Description

HTTPHDR.CERT_ISSUER * Contains the contents of the presented client certificate’s

‘issuer’ field.
For example, O=ACME, OU=Company, CN=user
name, C=FR, and so on.

HTTPHDR.CERT_SUBJECT * Contains the contents of the client certificate’s ‘subject’

field.

HTTPHDR.CERT_SERIALNUMBER * Contains the client certificate’s serial number.

HTTPHDR.CERT_KEYSIZE Contains the length, in bits, of the SSL connection’s

session key.

HTTPHDR.CERT_SECRETKEYSIZE Contains the length, in bits, of the server certificate’s

private key.

HTTPHDR.CERT_SERVER_ISSUER Contains the contents of the server certificate’s ‘issuer’

field.

HTTPHDR.CERT_SERVER_SUBJECT Contains the contents of the server certificate’s ‘subject’

field.

HTTPHDR.CERT_COOKIE Contains the signature (hash value) corresponding to

the client certificate.

HTTPHDR.HTTPS_SERVER_ISSUER Contains the contents of the server certificate’s ‘issuer’

field.

HTTPHDR.HTTPS_SERVER_SUBJECT Contains the contents of the server certificate’s ‘subject’

field.

HTTPHDR.HTTPS_SERIALNUMBER Contains the server certificate’s serial number.

HTTPHDR.HTTPS_KEYSIZE Contains the length, in bits, of the SSL connection’s

session key.

HTTPHDR.HTTPS_SECRETKEYSIZE Contains the length, in bits, of the server certificate’s

private key.

Ilex Security Server Variables Reference Guide Page 9/25

 Sign&go

3.3 Information about the request

Variable Description
HTTP.METHOD Contains the method used to access the resource. Corresponds to the
HTTP methods GET, POST, HEAD, PUT, DELETE, …
RESOURCE.<ID> * Information concerning the accessed resource are contained in the
RESOURCE.<ID> variables.

RESOURCE.URL Contains the full URL that the user attempts to access, for example:
http://www.acme.com/admin.index.jsp
https://www.ilex.fr:8081/sample/start.asp?param=value

RESOURCE.RESOURCE Contient l’URL à laquelle l’utilisateur cherche à accéder SANS le

protocole, par exemple :
//www.acme.com/admin.index.jsp
//www.ilex.fr:8081/sample/start.asp?param=value

RESOURCE.SCHEME Contains the protocol of the URL that the user attempts to access
(including the “:”), for example:
http:
https:

RESOURCE.HOST Contains the host (DNS name of the machine) that the user attempts to
access, for example:
www.acme.com
www.ilex.fr

RESOURCE.PORT Contains the port number of the URL that the user attempts to access.
The variable will contain an empty string if the port is not specified in the
URL, for example:
"" (empty string because port is not specified).
8081

RESOURCE.HOSTPORT Contains the host and the port, separated by “:”, of the URL that the
user attempts to access, for example:
www.acme.com
www.ilex.fr:8081

RESOURCE.PATH Contains the path (without parameters) of the URL that the user
attempts to access, for example:
/admin.index.jsp
/sample/start.asp

RESOURCE.QUERY Contains the parameters from the URL that the user has attempted to
access, for example:
"" (empty string due to no parameters being present).
param=value

3.4 Information on access typology

Variable Description

Ilex Security Server Variables Reference Guide Page 10/25

 Sign&go

ACCESS.<ID> * Information regarding the access protocol are presented in the form of
ACCESS.<ID> variables.

ACCESS.SECURE Defined as 1 if the access is with HTTPS (secure), or 0 if in HTTP

(non-secure).

ACCESS.CLIENTIPADDR IP address of the client.

ACCESS.CLIENTIPHOST Client DNS name (Attention: this information is not always available, it
depends upon the integration with the Web / Reverse Proxy server).

ACCESS.CLIENTTCPPORT Client TCP port (Attention: this information is not always available, it
depends upon the integration with the Web / Reverse Proxy server).

ACCESS.AGENTIPADDR Server IP address on which the agent is installed.

ACCESS.AGENTIPHOST Server DNS name on which the agent is installed (Attention: this
information is not always available, it depends upon the integration
with the Web / Reverse Proxy server).

ACCESS.AGENTTCPPORT Web / Reverse Proxy TCP port. This is the listener port of the Web or
Reverse Proxy and is the same as that specified in the URL:
Protocol://host [:port]/uri
st
ACCESS.TIME Time that the resource was accessed in milliseconds since 1
January 1990.

Ilex Security Server Variables Reference Guide Page 11/25

 Sign&go

4 SIGN&GO TOKEN VARIABLES

4.1 Configuration
Information regarding the Sign&go token configuration is provided in the form of the following
variables:

Variable Description
CONFIG.TOKEN.<ID> * All information regarding the configuration of the Sign&go cookie
(token) is available in the form of CONFIG.TOKEN.<ID> variables.

CONFIG.TOKEN.DOMAIN The DNS domain in which the cookie is placed, this value corresponds
to the value defined in the Sign&go administration.

CONFIG.TOKEN.SECURE “TRUE” if the cookie is secured, “FALSE” if not. The browser will only
send a cookie marked as secure over a secured connection (HTTPS).
This value corresponds to that configured in the Sign&go
administration.

CONFIG.TOKEN.ONDISK “TRUE” if the cookie is to be stored on the hard-disk, “FALSE” if not. A

cookie stored on the disk is persistent and saves the user from having
to re-authenticate if they close then re-start their browser. The value
corresponds to that configured in the Sign&go administration.

CONFIG.TOKEN.NAME The name of the cookie, the value corresponds to that configured in
the Sign&go administration.

CONFIG.TOKEN.TIMEOUT Absolute lifetime of the Sign&go token in seconds, the value

corresponds to that configured in the Sign&go administration.

4.2 Authentication of the user

When a user presents a valid Sign&go session token, all the information in the token is available in the
form of variables.

Variable Description

TOKEN.<ID> * All information regarding the user is available in the form

of TOKEN.<ID> variables.

TOKEN.USER The unique user identifier in the directory. The semantic of

this variable depends on the directory on which the user is
authenticated. In the case of a LDAP directory the value
corresponds to the user’s DN. In the case of a SQL
database, it corresponds to the user’s identifier.

TOKEN.LOGIN The user’s identifier as configured in the directory. When

authenticating by identifier/password, this value
corresponds to the user’s “login”, in other cases the value
is deduced from the directory according to the
configuration.

TOKEN.DIRECTORY The name of the directory on which the user is

authenticated.

TOKEN.LEVEL The current authentication level of the user. This value

corresponds to the value defined in the authentication
schema used to authenticate the user.

Ilex Security Server Variables Reference Guide Page 12/25

 Sign&go

TOKEN.AUTHENTICATIONSCHEMA The name of the authentication schema used to

authenticate the user.

TOKEN.AUTHDATETIME The date and time of the authentication in the form of a

GMT format character string.

TOKEN.AUTHDATETIMESEC The date and time of the authentication in seconds since

st
1 January 1990.

TOKEN.TTL The absolute lifetime of the token in seconds.

TOKEN.AGENT The name of the agent that was used during

authentication of the user.

4.3 Token application parameters

If the Sign&go token contains custom parameters, they are accessible in the form of the following
variables:

Variable Description
TOKEN.PARAM.<ID> * All information regarding application parameters stored in the user’s token
is available in the form of TOKEN.PARAM.<ID> variables where <ID>
corresponds to the parameter name (in uppercase).
For example, if the token contained a parameter named PROFILE, it would
be accessible from the variable TOKEN.PARAM.PROFILE .

TOKEN.PARAMS Contains a comma (,) separated list of all the application parameter names
within the token.

Note

Storing application parameters within the token allows linking the user to complementary
information about their authentication or profile. Once associated to the token, this information
can be directly exploited during authorisation and SSO phases.

For example, the initial identifier/password pair is commonly stored in the Sign&go token if it
needs to be re-presented at a later time, or the user’s profile extracted from the directory can
be stored in the token.

Take care however of the fact that adding information to the token increases its size, which
could have an adverse effect on bandwidth. Also, keep in mind that the maximum size of a
Sign&go token is 4Kb which leaves 2Kb for application parameters

Ilex Security Server Variables Reference Guide Page 13/25

 Sign&go

5 VARIABLES UPDATED DURING THE AUTHORISATION PHASE

When the security server evaluates a security policy, it updates a certain number of variables before
starting the rules evaluation phase. This enables information about the security policy currently being
executed to be available during evaluation of the rules.

5.1 Variables relating to the security policy

Variable Description
POLICY.<ID> * All information regarding the security policy during validation is
available in the form of POLICY.<ID> variables.

POLICY.NAME The name of the security policy currently being evaluated.

POLICY.DESCRIPTION The description of the security policy currently being evaluated.

POLICY.TYPE The type of security policy currently being evaluated.

POLICY.TRUSTLEVEL The minimum confidence level required by this security policy. If the
user presents a token with a lower level of confidence than that
required by this security policy, then they are considered as an
anonymous user (i.e., without a token).

POLICY.ASKEDRESOURCE The name of the requested resource that resulted in the successful
evaluation of this security policy. This variable contains the same
value as the RESOURCE.RESOURCE variable.

POLICY.ACTIVERESOURCE The pattern of the resource that resulted in the successful

evaluation of this security policy. This value corresponds to the
resource regular expression that resulted in the evaluation of this
security policy as defined in the policy (for example,
//www.acme.com/admin/*).

POLICY.APPLICATIONNAME The application name associated with the protected resource

pattern in the security policy. This value corresponds to the
application name associated with the pattern defined in the
“Protected resource” field of the list of resources to be protected by
the security policy.

Note

The POLICY.APPLICATIONNAME variable has a particular function, it enables associating a

logical name to the protected resource during the evaluation of the security policy. This
enables, during evaluation of the security rules, knowing which application or type of
application the user is attempting to access.

Access rules can therefore be configured to use this variable in order to verify, within a
directory, that the user is authorised to access the application or type of application.

An alternative is to directly put an application profile in this field and to verify within the
security rule that the user has this profile.

5.2 Authentication zone application variables

A group of application variables can be assigned to a Sign&go authentication zone, these variables
will then be automatically populated during evaluation of the security rules.
This enables defining, at the level of the authentication zone, a group of commonly used values (for
example, the URLs of authentication or automatic password recording applications).
Ilex Security Server Variables Reference Guide Page 14/25
 Sign&go

An authorisation zone’s application variables are provided in the form of session variables, and are
therefore pre-fixed by “SESSION”.

In the above example, the AUTHENTURL application variable is access by the security rules under
the name SESSION.AUTHENTURL.

5.3 Security policy application variables

A group of application variables can be assigned to a Sign&go security policy, these variables will then
be automatically populated during evaluation of the security rules.
This enables defining, at the level of a security policy, a group of values common to the policy (for
example, the information required for a security rule to evaluate the authorisations in a directory).
A security policy’s application variables are provided in the form of session variables and are therefore
pre-fixed by “SESSION”. They override the administration zone application variables.

Ilex Security Server Variables Reference Guide Page 15/25

 Sign&go

In the above example, the policy’s REQUESTEDPROFILE application variable, is access by the
security rules under the name SESSION.REQUESTEDPROFILE.

Ilex Security Server Variables Reference Guide Page 16/25

 Sign&go

6 VARIABLES UPDATED DURING THE AUTHENTICATION PHASE

When the Sign&go security server evaluates an authentication schema, the schema updates certain
session variables during the authentication phase.
These variables contain certain information regarding the user’s current authentication such as the
authentication credentials that have been presented.
They are accessible from within the script that updates the application token’s parameters (script
inserted into the authentication schema) which enables authentication information to be stored directly
in the Sign&go token.

6.1 Anonymous
Variable Description
SESSION.AUTHENTICATION.<ID> All information regarding authentication of the user is
available in the form of
SESSION.AUTHENTICATION.<ID> variables.

SESSION.AUTHENTICATION.LOGIN The generic identifier used to authenticate the user.

SESSION.AUTHENTICATION.PASSWORD The generic password used to authenticate the user.

6.2 Trusted
Variable Description
SESSION.AUTHENTICATION.<ID> All information regarding authentication of the user is
available in the form of SESSION.AUTHENTICATION.<ID>
variables.

SESSION.AUTHENTICATION.LOGIN The user identifier presented for the authentication.

6.3 Identifier - password

Variable Description
SESSION.AUTHENTICATION.<ID> All information regarding authentication of the user is
available in the form of
SESSION.AUTHENTICATION.<ID> variables.

SESSION.AUTHENTICATION.LOGIN The user identifier presented for the authentication.

SESSION.AUTHENTICATION.PASSWORD The user password presented for the authentication.

6.4 Example utilisation of authentication session variables

The following example stores the identifier and password, provided by the user during authentication,
in the session token. Once this information is part of the token, it can be used in SSO behaviours
(Basic HTTP, HTTML form completion,…) in order to re-present the user’s initial credentials.
In order to store the user’s identifier and password during authentication by an “identifier – password”
schema, the following script must be inserted into the authentication schema:

var request = authenticationschema.getRequest();

var token = request.getToken();
var login = request.getSessionValue(“AUTHENTICATION.LOGIN”);
var password = request.getSessionValue(“AUTHENTICATION.PASSWORD”);
token.addCustomParam(“PRIMARYLOGIN”, login);

Ilex Security Server Variables Reference Guide Page 17/25

 Sign&go

token.addCustomParam(“PRIMARYPASSWORD”, password);

This script stores the identifier and password as “PRIMARYLOGIN” and “PRIMARYPASSWORD”
token parameters.
The information is then useable during the authorisation phase with the aid of the
${TOKEN.PARAM.PRIMARYLOGIN} and ${TOKEN.PARAM.PRIMARYPASSWORD} variables.

6.5 Basic HTTP

Variable Description
SESSION.AUTHENTICATION.<ID> All information regarding authentication of the user is
available in the form of
SESSION.AUTHENTICATION.<ID> variables.

SESSION.AUTHENTICATION.LOGIN The user identifier presented for the authentication.

SESSION.AUTHENTICATION.PASSWORD The user password presented for the authentication.

6.6 Kerberos
Variable Description

Ilex Security Server Variables Reference Guide Page 18/25

 Sign&go

SESSION.AUTHENTICATION.<ID> All information regarding authentication of the user is

available in the form of
SESSION.AUTHENTICATION.<ID> variables.

SESSION.AUTHENTICATION.LOGIN The user identifier presented for the authentication (this

identifier is obtained from the user’s Kerberos token).

SESSION.AUTHENTICATION.DOMAIN The user’s Windows domain name.

6.7 NTLM
Variable Description
SESSION.AUTHENTICATION.<ID> All information regarding authentication of the user is
available in the form of
SESSION.AUTHENTICATION.<ID> variables.

SESSION.AUTHENTICATION.LOGIN The user identifier presented for the authentication (this

identifier is obtained from the user’s NTLM
authentication).

SESSION.AUTHENTICATION.DOMAIN The user’s Windows domain name.

6.8 Radius
Variable Description
SESSION.AUTHENTICATION.<ID> All information regarding authentication of the user
is available in the form of
SESSION.AUTHENTICATION.<ID> variables.

SESSION.AUTHENTICATION.LOGIN The user identifier presented for the authentication.

SESSION.AUTHENTICATION.PASSWORD The user password presented for the authentication.

6.9 RSA SecurID

Variable Description
SESSION.AUTHENTICATION.<ID> All information regarding authentication of the user is
available in the form of
SESSION.AUTHENTICATION.<ID> variables.

SESSION.AUTHENTICATION.LOGIN The user identifier presented for the authentication.

SESSION.AUTHENTICATION.PASSWORD The one-time-only user password presented for the

authentication.

6.10 CPS Card

Variable Description
SESSION.AUTHENTICATION.<ID> All information regarding
authentication of the user is
available in the form of
SESSION.
AUTHENTICATION.<ID>

SESSION.AUTHENTICATION.IDENTIFIANTEMETTEUR Information from the CPS

card.

SESSION.AUTHENTICATION.IDENTIFIANTCARTE Information from the CPS

card.

Ilex Security Server Variables Reference Guide Page 19/25

 Sign&go

SESSION.AUTHENTICATION.CATEGORIECARTE Information from the CPS

card.

SESSION.AUTHENTICATION.DATEDEBUTVALIDITE Information from the CPS

card.

SESSION.AUTHENTICATION.DATEFINVALIDITE Information from the CPS

card.

SESSION.AUTHENTICATION.CODECIVILITE Information from the CPS

card.

SESSION.AUTHENTICATION.NOMPATRONYMIQUE Information from the CPS

card.

SESSION.AUTHENTICATION.NOMMARITAL Information from the CPS

card.

SESSION.AUTHENTICATION.PRENOMS Information from the CPS

card.

SESSION.AUTHENTICATION.PRENOMUSUEL Information from the CPS

card.

SESSION.AUTHENTICATION.CODESLANGUES Information from the CPS

card.

SESSION.AUTHENTICATION.TYPECARTE Information from the CPS

card.

SESSION.AUTHENTICATION.MODELECARTE Information from the CPS

card.

SESSION.AUTHENTICATION.IDENTIFIANTNATIONALPS Information from the CPS

card. Corresponds to the
healthcare professional’s real
national identifier (ADELI
number).

SESSION.AUTHENTICATION.IDENTIFIANTNATIONALPSCARTE Information from the CPS

card. Corresponds to the
national identifier displayed
on the CPS card (ADELI
number prefixed by a letter).

SESSION.AUTHENTICATION.NOMEXERCICE Information from the CPS

card.

SESSION.AUTHENTICATION.CODEPROFESSION Information from the CPS

card.

SESSION.AUTHENTICATION.SPECIALITEQUALIFICATION Information from the CPS

card.

SESSION.AUTHENTICATION.ORIENTATIONSPARTICULIERES Information from the CPS

card.

SESSION.AUTHENTICATION.DISCIPLINESPECIALISATION Information from the CPS

card.

SESSION.AUTHENTICATION.SITUATIONPROFESSIONNELLE Information from the CPS

card.

Ilex Security Server Variables Reference Guide Page 20/25

 Sign&go

Note

The CPS card is a smartcard issued to all French Healthcare professionals.

7 SECURITY SERVER VARIABLES

7.1 Session variables
The security server can store a group of values during the evaluation of a transaction; these variables
belong to the session variables.
Using these variables, information can be stored and propagated between the various security server
components:
criteria -> criteria
criteria -> behaviour
behaviour -> behaviour
The lifetime of a session variable corresponds to the lifetime of the evaluation of the security policy by
the security server. A session variable is attached to an evaluation and can not therefore be shared
with other evaluations, nor is the variable persistent.
Once a session variable has been defined, its value can be retrieved using the following expression:

Variable Description
SESSION.<ID> Enables retrieving the value of a previously defined variable. The session
variable name corresponds to <ID>, the name must be in uppercase.

Session variables can be defined and read with the aid of the scripting language integrated into the
security engine:

The corresponding Javadoc for the various objects accessible by the script language can be
consulted in the ‘doc/javadoc’ sub-directory of the security server’s installation directory.

Creation of a session variable in a criteria

var request = criteria.getRequest();

request.addSessionValue(“variableName”, “variableValue”);
criteria.setSucceed();

Retrieval of a session variable in a criteria

var request = criteria.getRequest();

var value = request.getSessionValue(“variableName”);
criteria.setSucceed();

Creation of a session variable in a behaviour

var request = behavior.getRequest();

request.addSessionValue(“variableName”, “variableValue”);

Retrieval of a session variable in a behaviour

var request = behavior.getRequest();

Ilex Security Server Variables Reference Guide Page 21/25

 Sign&go

var value = request.getSessionValue(“variableName”);

7.2 Example utilisation of session variables

When applying a SSO strategy to an application, it is sometimes necessary to make use of information
contained in a data repository. For example, when simulating the completion of an HTML form, the
identifier and password to be inserted into the form may be stored in an external database or the
user’s directory.
In order to retrieve the data and make it available to the “Complete HTML Form” behaviour, it is
necessary to use session variables. The security rule contains two “OK” behaviours composed as
follows:
The first is an “Execute script” behaviour which interrogates the directory or database in order to
retrieve the required data, the behaviour then stores this information in the form of session variables.
The second is a “Complete HTML Form” behaviour which uses the session variables in the form
${SESSION…} in order to insert the previously retrieved information into the HTML form.

7.3 Application variables

The Sign&go security server can store a group of variables in memory during execution of the server.
Therefore, with the aid of these variables, information can be stored and propagated between the
various security server components. This information is common to all of the security server’s
transactions.
Once an application variable has been created, its value can be retrieved with the following
expression:

Variable Description
APPLICATION.<ID> Enables retrieving the value of a previously defined application variable. The
application variable name corresponds to <ID>, the name must be in
uppercase.

Application variables can be defined and read with the aid of the scripting language integrated into the
security engine:

Note

The corresponding Javadoc for the various objects accessible by the script language can be
consulted in the ‘doc/javadoc’ sub-directory of the security server’s installation directory.

Creation of an application variable in a criteria

var request = criteria.getRequest();

request.addApplicationValue(“variableName”, “variableValue”);
criteria.setSucceed();

Retrieval of an application variable in a criteria

var request = criteria.getRequest();

var value = request.getApplicationValue(“variableName”);
criteria.setSucceed();

Creation of an application variable in a behaviour

var request = behavior.getRequest();

Ilex Security Server Variables Reference Guide Page 22/25

 Sign&go

request.addApplicationValue(“variableName”, “variableValue”);

Retrieval of an application variable in a behaviour

var request = behavior.getRequest();

var value = request.getApplicationValue(“variableName”);

7.4 Dynamic variables

Variables can be defined in the security server and be administered by the Sign&go administration
console which enables carrying out complex evaluations.
The variables follow a dot notation in the Sign&go administration which facilitates their classification by
use (general configuration, application configuration, retrieval of repository information,…).
Two types of dynamic variables exist in the security server: static and scripted (‘dynamic’).
A static variable corresponds to a uniquely defined value.

A scripted (‘dynamic’) variable is one with a script associated with it and is executed each time the
variable is evaluated in order to calculate its return value. A veritable process of evaluation lies behind
scripted variables which can be used to retrieve and aggregate data coming from third party
repositories amongst other things (for example, an APPLICATION.DOMINO.LOGIN variable can
correspond to a script which retrieves the current user’s login from a LDAP or SQL repository).

Ilex Security Server Variables Reference Guide Page 23/25

 Sign&go

In the above example a script is associated with the scripted APPLICATIONS.DOMINO.LOGIN

variable; this script retrieves the value of the “domainlogin” attribute associated with the current user
from the directory.

var context = variable.getContext();

var request = context.getRequest();
var token = request.getToken();
var directoryAttributes = token.getUserAttributes();
var dominologin = directoryAttributes.getStringValue("dominologin");
directoryAttributes.close();
variable.setValue(dominologin);

To use this variable in a Sign&go behaviour, refer to it in the following way within Criteria or
behaviours: ${SERVER.APPLICATION.DOMINO.LOGIN}

Variable Description
SERVER.<ID> Starts the evaluation of a server variable named <ID>. If necessary, use the dot-
notation to name the variable, for example:
SERVER.APPLICATIONS.DOMINO.LOGIN

In order to start the evaluation of a server variable in a Sign&go script, the request.getVariableValue
primitive must be used. The following example evaluates the APPLICATIONS.DOMINO.LOGIN and
APPLICATIONS.DOMINO.PASSWORD in a Basic HTTP SSO login behaviour.

var request = behavior.getRequest();

Ilex Security Server Variables Reference Guide Page 24/25

 Sign&go

var response = behavior.getResponse() ;

var login = request.getVariableValue(“SERVER.APPLICATIONS.DOMINO.LOGIN”);
var password =
request.getVariableValue(“SERVER.APPLICATIONS.DOMINO.PASSWORD”);
response.setBasicHttpSSO(login, password);

Note

When requesting the evaluation of a security server variable, the name must be prefixed with
“SERVER”, therefore a variable defined within the Sign&go administration as
“APPLICATIONS.DOMINO.LOGIN”, must be called using the name
“SERVER.APPLICATIONS.DOMINO.LOGIN ”.

Ilex Security Server Variables Reference Guide Page 25/25