Federation Manager Guide › Federation Partnerships › Assertion Configuration

Assertion Configuration

The Assertion Configuration step of the Partnership wizard defines the configuration for the Name ID and the inclusion of attributes in an assertion.

The Name ID identifies a user in a unique way. The format of the Name Identifier establishes the type of content used for the ID in the assertion. The Name ID format is a required element in an assertion.

Attributes can provide information about a user requesting access to a relying-party resource. An attribute statement passes user attributes, DN attributes, or static data from the asserting party to the relying party in a SAML assertion. Any configured attributes are included in the assertion in an <AttributeStatement> element or the <EncryptedAttribute> element in the assertion. Attributes take the form of name/value pairs and can be made available as HTTP Headers or HTTP Cookies. When the relying party receives the assertion, it takes the attribute values and makes them available to applications.

Note: Attributes statements are not required in an assertion.

Servlets, Web applications, or other custom applications can use attributes to display customized content or enable other custom features. When used with Web applications, attributes can implement fine-grained access control by limiting what a user can do at the relying party. For example, an attribute variable named Authorized Amount is set it to a maximum dollar amount that the user can spend at the relying party.

Typically, attributes come from user directory records, but an assertion can contain attributes from other sources, such as an external database or application content. You can write an assertion generator plug-in that pulls in attributes from various sources. The assertion generator plug-in is a piece of custom code that you write according to the Assertion Generator Plugin interface for Federation Manager.

To determine assertion configuration

1. Navigate to the Assertion Configuration step of the Partnership wizard.
2. Select values for the Name ID Format and the Name ID Type in the Name ID group box.

   The relying party uses these values to know how to interpret the value that is passed in the assertion.

   Note: Click Help for a description of fields, controls, and their respective requirements.

3. Based on the value of the NameID Type, do one of the following:
   • Complete the Value field if you selected Static or User Attribute for the Name ID type.
   • Complete the Value and the DN specification fields if you selected the DN Attribute for the Name ID type.
4. (Optional - SAML 2.0 only) Select Allow Creation of User Identifier so the asserting party can create a value for the NameID. For this feature to work, the AuthnRequest from the relying party must include an AllowCreate attribute.

   Note: If you select this option, the value of the Name ID Format must be Persistent Identifier.

5. (Optional) Click Add Row in the Assertion Attributes table to specify one or more attributes for inclusion in the assertion. Optionally, you can encrypt the attribute.

   Click Help for detailed information about the columns in the attribute table.

   Note: For attributes from an LDAP user store, you can add multi-valued user attributes to an assertion. The Help describes how to specify multi-valued user attributes.

6. (Optional) If you have created an assertion generator plug-in using the Federation Manager SDK, complete the fields in the Assertion Generator Plug-in section.

   To write a plug-in, see the Federation Manager Java SDK Guide.

7. Click Next to continue with partnership configuration.