Federation Guides › Legacy Federation Guide › Configure a SAML 2.0 Identity Provider › Configure Attributes for Assertions (optional)

Configure Attributes for Assertions (optional)

Attributes can provide additional information about a user requesting access to a Service Provider resource. An attribute statement passes user attributes, DN attributes, or static data from the Identity Provider to the Service Provider in a SAML assertion. Any configured attributes are included in the assertion in one <AttributeStatement> element or the <EncryptedAttribute> element in the assertion.

Note: Attribute statements are not required in an assertion.

Servlets, web applications, or other custom applications use attributes to display customized content or enable other custom features. When used with web applications, attributes can limit the actions of a user at the Service Provider. For example, you can send an attribute variable named Authorized Amount set to a maximum dollar amount. The amount is the limit that the user can spend at the Service Provider.

Note: If CA SiteMinder® acts as a SAML 2.0 Attribute Authority as part of the assertion query/request profile, attributes are part of the authorization process. The topic Use an Attribute Authority to Authorize Users describes this implementation.

Attributes take the form of name/value pairs. When the Service Provider receives the assertion, it makes the attribute values available to applications.

Attributes can be made available as HTTP Headers or HTTP Cookies.

The HTTP headers and HTTP cookies have size restrictions that assertion attributes cannot exceed. The size restrictions are as follows:

• For HTTP headers, CA SiteMinder® can send an attribute in a header up to the web server size limit for a header. Only one assertion attribute per header is allowed. See the documentation for your web server to determine the header size limit.
• For HTTP cookies, CA SiteMinder® can send a cookie up to the size limit for a cookie. Each assertion attribute is sent as its own cookie. The cookie size limit is browser-specific, and that limit is for all attributes being passed to the application, not for each attribute. See the documentation for your web browser to determine the cookie size limit.

Specify Attributes for SSO Assertions

Attributes can provide information about a user requesting access to a Service Provider resource. An attribute statement passes user attributes, DN attributes, or static data from the Identity Provider to the Service Provider in a SAML assertion.

To configure an attribute

1. Navigate to the Attributes settings for the entity you are editing.
2. Click Add.

   The Add Attributes page opens.

3. From the Attribute Type drop-down list, select the name format type. This entry must match the <NameFormat> attribute in the <Attribute> element of an assertion attribute statement. The type classifies the attribute name so that the Service Provider can interpret the name.

   The options are:

   unspecified

   Determines how the name interpretation is left to your implementation.

   basic

   Indicates that the name format must use acceptable values. The acceptable values are from the values belonging to the primitive type xs:Name.

   URI

   Indicates that the name format must follow the standards for a URI reference. How the URI is interpreted is specific to the application using the attribute value.

4. From the Attribute Setup section, select one of the following options in the Attribute Kind section:
   • Static
   • User Attribute
   • DN Attribute

   The Attribute Kind selection determines the available fields in the Attribute Fields section.

5. Configure the Attribute Fields section of the page. The settings vary depending on the Attribute Kind selection. The options are:
   • Variable Name
   • Variable Value
   • Attribute Name
   • DN Spec
6. (Optional) If the attribute is retrieved from an LDAP user directory with nested groups, the Policy Server can retrieve DN attributes from the nested groups. To use nested groups, select the Allow Nested Groups check box in the Attribute Kind section.
7. (Optional) To encrypt attribute values, select the Encrypted check box.
8. For the Retrieval Method, accept the default value, SSO, to confirm that the attribute is only for single sign-on assertions.
9. Click OK to save the changes.

Use a Script to Create a New Attribute

The Advanced section of the Attribute dialog contains the Script field. This field displays the script that CA SiteMinder® generates based on your entries in the Attribute Setup section. You can copy the contents of this field and paste them into the Script field for another response attribute.

Note: If you copy and paste the contents of the Script field for another attribute, select the appropriate option in the Attribute Kind section.

Specify the Maximum Length of Assertion Attributes

The maximum length for user assertion attributes is configurable. To modify the maximum length of assertion attributes, change the settings in the EntitlementGenerator.properties file.

The property name in the file is specific to the protocol you are configuring.

Follow these steps:

1. On the system where the Policy Server is installed, navigate to policy_server_home\config\properties\EntitlementGenerator.properties.
2. Open the file in a text editor.
3. Adjust the maximum user attribute length for the protocols in use in your environment. The settings for each protocol are as follows:

   WS-Federation

   Property Name: com.netegrity.assertiongenerator.wsfed.MaxUserAttributeLength

   Property Type: Positive Integer value

   Default Value: 1024

   Description: Indicates the maximum attribute length for WS-FED assertion attributes.

   SAML 1.x

   Property Name: com.netegrity.assertiongenerator.saml1.MaxUserAttributeLength

   Property Type: Positive Integer value

   Default Value: 1024

   Description: Indicates the maximum attribute length for SAML1.1 assertion attributes.

   SAML 2.0

   Property Name: com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength

   Property Type: Positive Integer value

   Default Value: 1024

   Description: Indicates the maximum attribute length for SAML2.0 assertion attributes

4. Restart the Policy Server after any change to these parameters.

Attributes for SSO and Attribute Query Requests

Indicate whether an attribute that you configure is for a single sign-on request, or for an attribute query request. The retrieval method that you configure determines the function of the attribute.

To use the same attribute for both services, create two attribute statements that use the same attribute name and variable. However, one attribute uses SSO as the retrieval method and one uses Attribute Service as the retrieval method.