When proxying calls to your back end API, the API Manager adds a header with details gathered during the authentication process. These details are commonly used for:
...
Claim | SSO Attribute | Value |
|---|---|---|
| http://wso2.org/claims/adusername | urn:mace:ucsd.edu:sso:ad:username | Active Directory User Name - Not always available even if they have an active AD account. |
| http://wso2.org/claims/departmentcodes | urn:mace:ucsd.edu:sso:pps:departmentcodes | The APIM can be setup to segregate users and apis into different tenants. UCSD is not utilizing this feature so this claim has no meaning. |
| http://wso2.org/claims/eid | urn:mace:ucsd.edu:sso:pps:eid | Employee ID |
| http://wso2.org/claims/emailaddress | urn:mace:ucsd.edu:sso:people:long_email | The long form of the user's UCSD email address, where the name can be longer than 8 characters. |
| http://wso2.org/claims/givenname | urn:mace:ucsd.edu:sso:people:firstname | First name |
| http://wso2.org/claims/lastname | urn:mace:ucsd.edu:sso:people:lastname | Last name |
| http://wso2.org/claims/networkuserid | urn:mace:ucsd.edu:sso:networkuserid | kerberos/network username (a.k.a. Mail Account) |
| http://wso2.org/claims/pid | urn:mace:ucsd.edu:sso:isis:pid | Student ID (PID) |
| http://wso2.org/claims/racfid | urn:mace:ucsd.edu:sso:auth:racfid | racf/mainframe id (a.k.a. Business Systems account) |
| http://wso2.org/claims/systemid | urn:mace:ucsd.edu:sso:people:affiliateid | A persistent, unique identifier for this user. This a GUID and is only relevant to the SOA set of services. Unlike all other identifiers, these will never be recycled and should be used as the user's primary ID in the remote system. |
Validating the JWT
The JWT supplied by the APIM is digitally signed by the APIM's certificate. The certificate is issued by UCSD and signed by a reputable CA.
JWT Processing Code Example
BYU use of claims and JWT
...
All other values in the table should be filled in with the appropriate information.
Relationship records should only be added for applications under the control of a BYU entity. There is no need to add them for individuals publishing their own applications. Currently there is no defined process for approving and adding these relationship records.
...