Configuration Guides › Federation Security Services Guide › Configure SOA Security Manager as a SAML 1.x Producer › Configure Attributes to Include in SAML 1.x Assertions (Optional)

Configure Attributes to Include in SAML 1.x Assertions (Optional)

You can include attributes in assertions. Servlets or applications can use attributes to display customized content for a user. User attributes, DN attributes, or static data can all be passed from the producer to the consumer in an assertion. When used with web applications, attributes can offer fine-grained access control by limiting what a user can do at the consumer. For example, you can send an attribute named Authorized Amount and set it to a maximum dollar amount that the user can spend.

Attributes take the form of name/value pairs and include information, such as mail address, business title, or an approved spending limit for transactions. When the consumer receives the assertion, it takes the attributes and makes them available to applications as HTTP header variables or HTTP cookie variables.

To pass the attributes, configure a response. The responses available for this purpose are:

• Affiliate-HTTP-Header-Variable
• Affiliate-HTTP-Cookie-Variable

The HTTP headers and HTTP cookies have size restrictions that assertion attributes cannot exceed. The size restrictions are as follows:

• For HTTP headers, SOA Security Manager can send an attribute in a header up to the web server size limit for a header. Only one assertion attribute per header is allowed. See the documentation for your web server to determine the header size limit.
• For HTTP cookies, SOA Security Manager can send a cookie up to the size limit for a cookie. Each assertion attribute is sent as its own cookie. The cookie size limit is browser-specific, and that limit is for all attributes being passed to the application, not for each attribute. See the documentation for your web browser to determine the cookie size limit.

More Information:

Attribute Types