Claims harvesting

  • 1 minute read
Prev Next

Claims are key-value pairs that relate to the identity and context of the user or device and are specific to each session.

There are several types of claims:

  • Context. Based on helpers that evaluate things like is in the IP range.

  • User. Static, non-changing claims such as username from the IdP, user claims script, or Connector.

  • Device. Dynamic, changeable claims such as the IP address of the connecting device.

  • System. Dynamic, changeable claims such the country code from the Gateway.

And two classes of availability within the system:

  • Built-in (formerly Fixed). Set by the system; will always be gathered.

  • Scripted (formerly On-demand). Configured by the admin; gathered when required.

The admin UI provides a dynamic list of available claims that can be used. Dialogue boxes prompt you for the appropriate parameter values. 

System claims

These are non-configurable claims that are generated by the system itself. Some of these can be considered as trusted (such as connectTime) but others should be judged on a case by case basis (such as clientSrcIP) which might be somewhat in the control of the user.

For information about the parameters, refer to System Claims.

User, device, and scripted claims

These comprise non-configurable claims, on-demand claims (allows extra claims to be harvested) and scripts that can be used to generate custom claims. User claims are typically collected from authoritative sources such as LDAP so would be considered as trusted. Device claims should be judged on a case by case basis, but would normally be considered as untrusted. The script, execution environment and measurement points are all somewhat in the control of the user.

From a trust (and therefore security) point of view it can be better to use a combination of device and user claims working together if you need to rely on claims about connecting devices. A device script could be used to collect a random ID (128 bit) which was assigned to the connecting device as part of an enterprise build process. This ID itself can't be trusted because it has come from the device. But this ID could now be passed in a user claim script to an authoritative external device database which on finding an ID match could return some trusted claims relating to the device.  

This section explores device and user claims and explains how to configure the AppGate ZTNA system to gather additional claims.

For information about the parameters for each claim refer to: User Claims, Device Claims and Scripted Claims.