CA Identity Manager Mobile App › How to Configure CA Identity Manager to Support the Mobile App › Configure Required Attributes

Configure Required Attributes

The CA Identity Manager user store must include the following well-known attributes to enable user registration and access through the mobile app:

• %ACTCODE% — Identifies the attribute that stores a randomly generated activation number. After the user is registered, this attribute contains the word Registered.
• %ACTCODEVAL% — Identifies the attribute that stores the activation code that the client sets during registration time. CA Identity Manager compares this value with the value of %ACTCODE%.
• %CURRENT_AUTH_QUESTIONS% — Identifies the attribute that temporarily stores the challenge question values. This value gets cleared after the user answers correctly.
• %MOBILE_PIN% — Identifies the attribute that stores the personal identification number or string value, which provides the alphanumeric password shared between a user and a system that can be used to authenticate the user to the system.
• %PWRESETCODE% — Identifies the attribute that stores an encrypted code, which provides single-factor authentication during a password reset

You map these well-known attributes to available user store attributes in the directory configuration file (directory.xml). If there are no available attributes, extend the user store schema. For more information about extending the schema, see the documentation for your user store.

Include the following data classifications in the attribute descriptions:

<DataClassification name="sensitive"/>

Replaces the reset code value with wildcard characters in task screens, audit records, and system logs.

Important! Do not include the sensitive data classification in the %ACTCODE% attribute definition. If you include the sensitive attribute, the mobile app does not work correctly.

<DataClassification name=" AttributeLevelEncrypt "/>

Encrypts and decrypts the reset code value as it is written and read from the user store using the defined encryption key.

<DataClassification name=" ignore_on_copy "/>

Causes CA Identity Manager to ignore an attribute when an administrator creates a copy of an object in the User Console.

Note: Refer to the end of this topic for samples of these well-known attributes.

Follow these steps:

1. Log in to the Management Console.
2. Select Directories, then click the directory that contains mobile users.
3. Export the directory.
4. Add or modify an attribute description to include the %ACTCODE% well-known attribute.

   You can map any available attribute to the %ACTCODE% well-known attribute.

5. Repeat step 4 to define the %ACTCODEVAL% well-known attribute. Include the following data classifications:

   <DataClassification name="sensitive"/>
   <DataClassification name="ignore_on_copy"/>  
   <DataClassification name=" AttributeLevelEncrypt"/>   
   

6. Add an attribute description for the %CURRENT_AUTH_QUESTIONS% well-known attribute.Include the following data classifications:

   <DataClassification name="ignore_on_copy"/>  
   

7. Add an attribute description for the %MOBILE_PIN% well-known attribute. Include the following data classifications:

   <DataClassification name="sensitive"/>
   <DataClassification name="ignore_on_copy"/>  
   <DataClassification name=" AttributeLevelEncrypt"/> 
   

8. Add an attribute description for the %PWRESETCODE% well-known attribute. Include the following data classifications:

   <DataClassification name="sensitive"/>
   <DataClassification name="ignore_on_copy"/>  
   <DataClassification name=" AttributeLevelEncrypt"/> 
   

9. Save the directory.xml file.
10. Load the saved directory.xml file by clicking Update in the Directory Properties page in the Management Console.

Samples

Note: You can map any available attribute to these well-known attributes.

%ACTCODE%

<ImsManagedObjectAttr
physicalname="attribute_name"
displayname="your_attribute_display_name"
description="your_attribute_description"
valuetype="String"
required="false"
multivalued="false"
wellknown="%ACTCODE%"
maxlength="0" 
hidden="true"
system="true">

<DataClassification name="ignore_on_copy"/>  
<DataClassification name=" AttributeLevelEncrypt"/>   
</ImsManagedObjectAttr>

%ACTCODEVAL%

ImsManagedObjectAttr
physicalname="attribute_name"
displayname="your_attribute_display_name"
description="your_attribute_description"
valuetype="String"
required="false"
multivalued="false"
wellknown="%ACTCODEVAL%"
maxlength="0" 
hidden="true"
system="true">

<DataClassification name="ignore_on_copy"/>  
<DataClassification name=" AttributeLevelEncrypt"/>   
</ImsManagedObjectAttr>

%CURRENT_AUTH_QUESTIONS%

<ImsManagedObjectAttr
physicalname="attribute_name"
displayname="your_attribute_display_name"
description="your_attribute_description"
valuetype="String"
required="false"
multivalued="false"
wellknown="%CURRENT_AUTH_QUESTIONS%"
maxlength="0" 
hidden="true"
system="true">

<DataClassification name="ignore_on_copy"/>  

%MOBILE_PIN%

<ImsManagedObjectAttr
physicalname="attribute_name"
displayname="your_attribute_display_name"
description="your_attribute_description"
valuetype="String"
required="false"
multivalued="false"
wellknown="%MOBILE_PIN%"
maxlength="0" 
hidden="true"
system="true">

<DataClassification name="ignore_on_copy"/>  
<DataClassification name=" AttributeLevelEncrypt"/>   
</ImsManagedObjectAttr>

%PWRESETCODE%

<ImsManagedObjectAttr
physicalname="attribute_name"
displayname="your_attribute_display_name"
description="your_attribute_description"
valuetype="String"
required="false"
multivalued="false"
wellknown="%PWRESETCODE%"
maxlength="0" 
hidden="true"
system="true">

<DataClassification name="ignore_on_copy"/>  
<DataClassification name=" AttributeLevelEncrypt"/>   
</ImsManagedObjectAttr>