Variables can be used in rules and headers. All rules are concerned:
Variables are stored in the user session. We can distinguish several kind of variables:
When you know the key of the variable, you just have to prefix it with the dollar sign to use it, for example to test if  uid variable match coudot :
$uid eq "coudot"
Below are documented internal variables.
Register what module was used for authentication, user data, password, …
| Key | Description | 
|---|---|
| _auth | Authentication module | 
| _userDB | User module | 
| _passwordDB | Password module | 
| _issuerDB | Issuer module (can be multivalued) | 
| _authChoice | User choice done if authentication choice was used | 
| _authMulti | Since 1.4.6 Full name of authentication module (with #label) used in Multi | 
| _userDBMulti | Since 1.4.6 Full name of user module (with #label) used in Multi | 
Datas concerning the first connection to the portal
| Key | Description | 
|---|---|
| ipAddr | IP of the user (can be the X Forwarded For IP if trusted proxies are configured) | 
| _timezone | Timezone of the user, set with javascript from standard login form (will be empty if other authentication methods are used) | 
| _url | URL used before being redirected to the portal (empty if portal was used as entry point) | 
Datas around the authentication process.
| Key | Description | 
|---|---|
| _session_id | Session identifier (carried in cookie) | 
| _user | User found from login process | 
| _password | Password found from login process (only if password store in session is configured) | 
| authenticationLevel | Authentication level | 
| Key | Description | 
|---|---|
| _utime | Timestamp of session creation | 
| startTime | Date of session creation | 
| updateTime | Date of session last modification | 
| _lastAuthnUTime | Timestamp of last authentication time | 
Datas related to SAML protocol
| Key | Description | 
|---|---|
| _idp | Name of IDP used for authentication | 
| _idpConfKey | Configuration key of IDP used for authentication | 
| _samlToken | SAML token | 
| _lassoSessionDump | Lasso session dump | 
| _lassoIdentityDump | Lasso identity dump | 
| Key | Description | 
|---|---|
| _notification_id | Date of validation of the notification id | 
| Key | Description | 
|---|---|
| loginHistory | HASH of login success and failures | 
Only with UserDB LDAP.
| Key | Description | 
|---|---|
| dn | Distinguished name | 
| Key | Description | 
|---|---|
| _openid_id | Consent to share attribute id trough OpenID | 
| Key | Description | 
|---|---|
| appsListOrder | Order of categories in the menu |