CustomerID Custom Attribute Examples

Introduction

CustomerID supports custom attributes on both user and organization objects.

This document will show some example configurations.

Reference documentation is available at https://ubisecuredev.atlassian.net/wiki/display/IDS20211/User+and+organization+attributes+-+CustomerID 

Custom attributes can be optionally encrypted using the data.eattribute.encrypt setting.

Examples

Example 1 - Custom user attribute

In this example, in order to support lightweight authentication over the telephone without giving a password, the use of a customer selected "Customer service code word" will be used. The customer can set that value to any value of their choosing, and an administrator with sufficient access rights can view the value.

Because the web interface may be configured to require strong authentication, the customer should only know have access to this value.

Example:

Customer Service: "Hi Leena, could you please tell me your code word before we complete your order?"

Leena Laine: "My code word is pink rose."

Customer Service: "Great. Your goods will be delivered tomorrow."

Each custom attribute also has tooltips to explain usage. These are shown when modifying the value and during user registration screens:


Example 2 - Custom organization attribute

In this example, we want to store a CRM ID, the LEI (Legal Entity Identifier), and a billing code for each organization.

As an administrator, these three custom fields can be added to the Organization Home tab.


Example 3 - Custom user attributes that are not visible to customer, but available for administrators or help desk staff

Some custom attributes may be sensitive in nature, as a credit score, customer class or basis for KYC (Know Your Customer). The example below shows an administrator looking at Leena's account from Example 1, and showing that in addition to her Customer service code word, there is also a link to the KYC documentation made during customer account creation.

In this screenshot, Peter Pan, who is a system administrator, can see Leena's account details. The ID verification evidence link goes to an archive of the ID verification information used when opening the account. Peter Pan could examine the documents at that link when reviewing the account.


Example 4 - Access custom attributes by API

All custom attributes can are also be queried and update by authorised parties using the CustomerID API.  For more information see

https://ubisecuredev.atlassian.net/wiki/display/IDS20181/REST+API+2.1+-+CustomerID#RESTAPI2.1-CustomerID-GET105QueryUser


Configuration files

The main configuration file, eidm2.properties specifies the custom attributes and display order for the self-service and admin pages. Selected sensitive attributes can also be encrypted.

customerid/appplication/custom/eidm2.properties
# Custom attribute display
ui.selfservice.userinfo.fields.order = firstname, surname, login, email, mobile, ssn, telephonecodeword
ui.admin.userinfo.fields.order = firstname, surname, login, email, mobile, ssn, telephonecodeword, idverificationlink
ui.admin.organizationinfo.fields.order = technicalname, friendlyname, crmid, leicode, billingcode
data.attribute.encrypt = telephonecodeword


The localization file for each language, messages_XX.properties, specifies the text to use for the display of attributes and supporting tooltips in each type of display:

customerid/appplication/custom/messages_en.properties
# user custom attributes
# telephonecodeword
admin.approval.user.telephonecodeword.tooltip = A code word set by the customer to further assist user identification in telephone calls.
admin.roleinvitation.user.telephonecodeword.tooltip =  A code word selected and set by the customer to further assist user identification during telephone calls or chat sessions.
registerWizard.telephonecodeword = Customer service code word
registration.basicuser2.input.user.telephonecodeword.tooltip = Please think of a code word that may be asked to verify transaction in telephone calls.
tooltip.user.attribute.modification.telephonecodeword = A code word selected and set by the customer to further assist user identification during telephone calls or chat sessions.
user.telephonecodeword = Customer service code word

# user custom attributes
# idverificationlink
admin.approval.user.idverificationlink.tooltip = A URL to the ID verification documents used to open the account.
admin.roleinvitation.user.idverificationlink.tooltip = A URL to the ID verification documents used to open the account.
registerWizard.idverificationlink = ID verification evidence
registration.basicuser2.input.user.idverificationlink.tooltip = A URL to the ID verification documents used to open the account.
tooltip.user.attribute.modification.idverificationlink = A URL to the ID verification documents used to open the account.
user.idverificationlink = ID verification evidence

# organization custom attributes
# leicode, billingcode
# shown during registration
registerWizard.organization.leicode = LEI
# shown on organization details page
organization.leicode = LEI

# billingcode
# shown during registration
registerWizard.organization.billingcode = Billing code
# shown on organization details page
organization.billingcode = Billing code

It is possible to even further refine which attributes are shown to which types of users using the permissions.properties file settings.

Remember to index custom attributes stored in LDAP, if used for lookup

During Directory User Mapping, on an LDAP with hundreds of thousands of users, searches based on non-indexed values are slow.

Make sure that if you do this based on attributes like telephoneNumber, you should add an index to speed the search.

On openldap, description field is indexed buy default.

On AD LDS, description is not indexed buy default. (Oct 2020)