You can pass the user information using the default header name or using a customized header name by configuring
custom_security.properties. The following is an updated list of available header parameters:
Note: Enabling trusted authentication on Library requires struct control over which HTTP headers the user agent (web browser) can send to the Library server. Accepting user attribute headers directly from the user agent is forbidden.
User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. |
User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. |
User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. |
User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. |
User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. |
User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. |
User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. |
Note: The
EncodingMethodconfig applies to all the above attributes. For better language support, use UTF-8 encoding for the attributes and apply percent encoding before setting them in the HTTP header. Then configure
custom_security.properties, using the following, to correctly decode the attribute on the Library server:
EncodingMethod=UTF-8
When a group is passed via HTTP as a single string, you can use the following configuration items to control how the group string is parsed:
User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. |
User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. |
User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. | User AttributeParameter of header name in custom_security.propertiesDefault headerTrusted authentication user ID LoginParam mstr-user-idFull name FullNameParam mstr-user-fullnameEmail EmailParam mstr-user-emailLDAP distinguished name DistinguishedName mstr-user-distinguished-nameLanguage LanguageParam mstr-user-languageGroups GroupsParam mstr-user-groupsConfig item in custom_security.propertiesValue typeDescription GroupSeparatorStringUse this item to split the single group header string into multiple group names, if they exist. The default separator is , . GroupFormat simpleor distinguishedNameUse this item to decide if the group name from the header is used directly or parsed as a LDAP group distinguished name. The default value is simple. |
For example, when Ping Federate provides the following headers:
PF_AUTH_NOT-ON-OR-AFTER=2025-11-12T06:47:04Z PF_AUTH_SUBJECT=johnDoe PF_AUTH_DISTINGUISHEDNAME=N=johnDoe,OU=Tech,OU=Employee,DC=people,DC=example,DC=org PF_AUTH_LANGUAGE=en-US PF_AUTH_FULLNAME=John Doe PF_AUTH_NOT-BEFORE=2025-11-12T06:40:40Z PF_AUTH_RENEW-UNTIL=2025-11-12T18:40:40Z PF_AUTH_EMAIL=johndoe@people.example.org PF_AUTH_GROUP=CN=Employee,OU=MyGroup,OU=Tech,OU=Employee,DC=people,DC=example,DC=org|CN=Customers,OU=MyGroup,OU=Tech,OU=Employee,DC=people,DC=example,DC=org
You can use the following settings in
custom_security.properties:
LoginParam=PF_AUTH_SUBJECT FullNameParam=PF_AUTH_FULLNAME EmailParam=PF_AUTH_EMAIL DistinguishedName=PF_AUTH_DISTINGUISHEDNAME LanguageParam=PF_AUTH_LANGUAGE GroupsParam=PF_AUTH_GROUP GroupFormat=distinguishedName GroupSeparator=|
Trusted authentication then imports user attributes from the Ping Federate headers.
For more information on importing user system prompt at trusted authentication, see KB489583: Passing System Prompts on Library Trusted Authentication.
