UserSecurityClaims policy
The UserSecurityClaims policy retrieves user claims and sets them as HTTP headers on outbound requests so that backend services can access identity and authorization information.
Use this policy when a target service requires user identity information such as security roles, accounting entity, or other claims to make authorization or routing decisions.
Overview
The UserSecurityClaims policy retrieves and sets user claims in the HTTP header before the request is sent to the target endpoint. Backend services receive identity and authorization information without performing token validation.
Who this affects
- API administrators configuring proxy endpoint policies (requires ION API administrator access)
- Backend service developers who consume user claim headers
Business benefits
- Pass user identity information to backend services in a standardized header format
- Eliminate the need for backend services to resolve user claims
- Support filtering of security roles to control which roles are forwarded
- Enable encoding of header values to support special characters
Scope
This policy can be attached to these request flow scopes:
- Proxy endpoint
- Proxy endpoint resource (for Infor-provisioned APIs)
How it works
When a request passes through the API Gateway, the policy extracts claim values from the authenticated user security context and injects them as HTTP headers on the outbound request to the target.
- Header values are comma-delimited strings when multiple values exist for a claim. For example: IONAPI-User, IONAPI-Administrator, SuperUser
- If a claim has no value, the header is set with an empty value
- Claim values are resolved from Infor OS Security
- If a claim is not configured or has no value in Security, the header is added with an empty value
- Include filters are evaluated first, then exclude filters remove matching values
- Filter values support exact match and regular expression patterns
Configuration
Configure the policy using attributes and elements.
Policy attributes
- name: Name of this policy instance (required)
- displayName: Display name of this policy instance
- enabled: Indicates whether the policy is enabled (default true, required)
- version: Version of the policy (default 1.0, required)
Elements
- claimTypes (required, 1)
- claimType (required, 1..*)
claimTypes element
Defines the list of claims to retrieve from the request.
<claimTypes> <claimType name="http://schemas.infor.com/claims/SecurityRole" headerName="roles"/> <claimType name="http://schemas.infor.com/claims/AccountingEntity" headerName="accounting-entity"/> </claimTypes>
filter element
Filters claim values using include or exclude rules.
<claimType name="http://schemas.infor.com/claims/SecurityRole" headerName="filtered-roles"> <filter action="include"> <value>HOMEPAGES-Administrator</value> <value>IONAPI-.*</value> </filter> <filter action="exclude"> <value>IONAPI-User</value> </filter> </claimType>
Examples
These examples show common configurations.
Set role and accounting entity headers
<user-security-claims enabled="true" name="User identity claims" version="1.0"> <claimTypes> <claimType name="http://schemas.infor.com/claims/SecurityRole" headerName="roles"/> <claimType name="http://schemas.infor.com/claims/AccountingEntity" headerName="accounting-entity"/> </claimTypes> </user-security-claims>
Filter roles and add email address
<user-security-claims enabled="true" name="Filtered roles with email" version="1.0"> <claimTypes> <claimType name="http://schemas.infor.com/claims/SecurityRole" headerName="securityrole-claim"> <filter action="include"> <value>Infor-SuiteUser</value> </filter> </claimType> <claimType name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" headerName="x-infor-identity2"/> </claimTypes> </user-security-claims>
Filter roles using regular expressions
<user-security-claims enabled="true" name="Regex-filtered roles" version="1.0"> <claimTypes> <claimType name="http://schemas.infor.com/claims/SecurityRole" headerName="roles"> <filter action="include"> <value>HOMEPAGES-Administrator</value> <value>IONAPI-.*</value> </filter> <filter action="exclude"> <value>SuperUser</value> </filter> </claimType> </claimTypes> </user-security-claims>
Encoded roles for special characters
<user-security-claims enabled="true" name="Encoded security roles" version="1.0"> <claimTypes> <claimType name="http://schemas.infor.com/claims/SecurityRole" headerName="roles" encoded="true"/> </claimTypes> </user-security-claims>
Limit roles with maxItems
<user-security-claims enabled="true" name="Limited security roles" version="1.0"> <claimTypes> <claimType name="http://schemas.infor.com/claims/SecurityRole" headerName="roles" maxItems="5"/> </claimTypes> </user-security-claims>
Complete configuration example
<user-security-claims enabled="true" name="Full claims configuration" version="1.0"> <claimTypes> <claimType name="http://schemas.infor.com/claims/SecurityRole" headerName="roles"> <filter action="include"> <value>HOMEPAGES-Administrator</value> <value>IONAPI-.*</value> </filter> <filter action="exclude"> <value>IONAPI-User</value> </filter> </claimType> <claimType name="http://schemas.infor.com/claims/AccountingEntity" headerName="accounting-entity"/> </claimTypes> </user-security-claims>
Important information
- This policy requires a user context. Requests using client credential or anonymous security do not include user claims.
- Use a grant type that includes user authentication.
- Header values are comma-delimited when multiple values exist.
- If a claim has no value, the header is set with an empty value.
- Claims must be configured in Infor OS Security.
- Only supported claim URIs produce values.
- Include filters are applied before exclude filters.
- Filters support regular expressions.
- Enable encoding if special characters cause errors.
- Use maxItems to limit header values.