User claim scripts generate additional user claims that are used in Policy assignment, Entitlements, and Conditions. User claim scripts run after user sign-in and after running the device claim scripts, but before Policy assignment.
Scripts can include existing user, device, and system claims. The additional user claims it generates can be used elsewhere in the system. Within the Controller, new claims can be used as assignment criteria within Policies. These new claims are also added to the claims token; so within the Gateway, they can be used as access criteria in Conditions and used in Entitlement scripts to define protected hosts.
Before you start
Consider the following before creating user claim scripts:
The script runs on the Controller whenever a user is authenticated and at claims token renewal.
The script runs in a sandboxed JavaScript engine that supports external httpGet/Post/Put/Delete calls.
Multiple user claim results are merged. There is no clear strategy to handle these conflicts - one will override the other.
The final claims are not encrypted.
Review the following background information:
Get a better understanding of user claims including details relating to user claim scripts.
Review the use of scripts.
Refer to claims in detail for information about claims used in the system.
Use the User Claim Scripts page to:
Add a new user claim script.
Edit an existing user claim script.
When you are ready to add a user claim script, see the Configure User Claim Scripts section.