Before setting up an Identity Injection policy, determine the following details about your web application:
Does it require an authentication header? Does this header need just the username or does it also need the password?
Does it use a custom header with custom names (x-names)? If so, you need to know their names and their expected values.
Does the custom header require any custom names (x-names) with tags? If so, gather this information.
Does the application expect specific values in the query string of the URL? If so, gather this information.
Does it require the authentication information from the Kerberos tickets? If so, gather this information.
Does the application require Access Gateway to fetch OAuth token and pass it over to the header? If so, gather this information.
After gathering the information, you need to determine whether you need to create one policy with one rule, one policy with multiple rules, or multiple policies. If you have multiple applications that require the same type of authentication header, you might want to create an authentication header policy and separate policies for the application-specific information. You can then enable both the authentication header policy and the application-specific policy for the resource that is protecting the application. You must design your policies so that the application receives just what it needs. It must not inject custom names and values it does not use.
Everything defined in a policy is injected into the header, even if the values are empty because Access Manager could not obtain the value for the item. For some applications, this is still useful information and the application uses it to make access decisions.
Whether you create a policy with one rule or multiple rules is a personal design decision. If you put all the actions in one rule, you have only one description field to describe the function of the policy. If you put each action type in a separate rule, you have multiple description fields to describe the function of the policy. Select the method that is easiest for you.
Rules are evaluated by priority. The first rule that is evaluated with an authentication header is processed, and the authentication header is rejected if it is found in any of the other rules. Your policy can inject only one authentication header, one cookie header, and one query string, but it can inject multiple custom headers and custom headers with tags.