Custom attributes

In addition to standard attributes describing SSO users, such as username, password or email, it is also possible to create and manage additional arbitrary attributes holding any kind of information required.

Custom user attributes exist either for as long as their user exists or, optionally, can be configured to expire after some time. They will persist across multiple login sessions but a related feature, session attributes, lets one set attributes for each session, each login, separately.

Name of an attribute is its identifier, there is no separate ID field. The name is unique independently for user and session attributes, i.e. there can be a user attribute of a given name and a distinct session attribute of the same name but there cannot be multiple user, nor session, attributes with the same name.

Each attribute can be optionally stored in the database in an encrypted form - this can be used, for instance, with Social Security Numbers or other Personally Identifiable information (PII). Encryption and decryption is performed on the fly, no programming is needed.

Regular users may access only their own attributes while super-users can manage attributes of any user.

The API is available for Python code and REST clients.

User attributes API

REST Python Description
POST /zato/sso/user/attr self.sso.user.attr.create Creates a new named attribute
POST /zato/sso/user/attr self.sso.user.attr.create_many As above but can create multiple attributes at a time
PATCH /zato/sso/user/attr self.sso.user.attr.update Updates an already existing attribute
PATCH /zato/sso/user/attr self.sso.user.attr.update_many As above but can update multiple attributes at a time
PUT /zato/sso/user/attr self.sso.user.attr.set Creates a new named attribute if it doesn’t already exist or updates it if it does
PUT /zato/sso/user/attr self.sso.user.attr.set_many As above but can set multiple attributes at a time
DELETE /zato/sso/user/attr self.sso.user.attr.delete Deletes an attribute
DELETE /zato/sso/user/attr self.sso.user.attr.delete_many As above but can delete multiple attributes at a time
GET /zato/sso/user/attr self.sso.user.attr.get Returns an attribute’s value, possibly with its metadata
GET /zato/sso/user/attr self.sso.user.attr.get_many As above but can return multiple attributes at a time
GET /zato/sso/user/attr/exists self.sso.user.attr.exists Checks if an attribute exists
GET /zato/sso/user/attr/exists self.sso.user.attr.exists_many As above but can check multiple attributes at a time
GET /zato/sso/user/attr/names self.sso.user.attr.names Returns names of all attributes defined for a user (only names, without values)

Session attributes API

REST Python Description
POST /zato/sso/session/attr self.sso.session.attr.create Creates a new named attribute
POST /zato/sso/session/attr self.sso.session.attr.create_many As above but can create multiple attributes at a time
PATCH /zato/sso/session/attr self.sso.session.attr.update Updates an already existing attribute
PATCH /zato/sso/session/attr self.sso.session.attr.update_many As above but can update multiple attributes at a time
PUT /zato/sso/session/attr self.sso.session.attr.set Creates a new named attribute if it doesn’t already exist or updates it if it does
PUT /zato/sso/session/attr self.sso.session.attr.set_many As above but can set multiple attributes at a time
DELETE /zato/sso/session/attr self.sso.session.attr.delete Deletes an attribute
DELETE /zato/sso/session/attr self.sso.session.attr.delete_many As above but can delete multiple attributes at a time
GET /zato/sso/session/attr self.sso.session.attr.get Returns an attribute’s value, possibly with its metadata
GET /zato/sso/session/attr self.sso.session.attr.get_many As above but can return multiple attributes at a time
GET /zato/sso/session/attr/exists self.sso.session.attr.exists Checks if an attribute exists
GET /zato/sso/session/attr/exists self.sso.session.attr.exists_many As above but can check multiple attributes at a time
GET /zato/sso/session/attr/names self.sso.session.attr.names Returns names of all attributes defined for a session (only names, without values)