Federation Guides › Legacy Federation Guide › Authorize Users with Attributes from an Assertion Query

Authorize Users with Attributes from an Assertion Query

This section contains the following topics:

Perform Authorizations with an Attribute Authority

Flow Diagram for Authorizing a User with User Attributes

How to Configure an Attribute Authority and a SAML Requester

How to Set up a SAML Requester to Generate Attribute Queries

Perform Authorizations with an Attribute Authority

The Policy Server authorizes a user with the following types of information:

• Users that are specified in the policy configuration
• Policy expressions
• Active policies
• IP address restrictions
• Time restrictions

The Policy Server also authorizes a user with user attributes that a SAML 2.0 Attribute Authority provides. When a user requests access to a protected resource, the Policy Server, as the authorizing entity, can request more user attributes. The Policy Server evaluates these attributes before granting access to the resource.

The SAML 2.0 Assertion Query/Request profile employs two entities, a SAML Attribute Authority and a SAML Requester.

SAML Attribute Authority

The SAML Attribute Authority relies on an Attribute Service to process a query message and add attributes to an assertion. These assertions contain user attributes that a SAML Requester uses to authorize access to protected resources. The Attribute Service is part of the Federation Web Services application.

When an entity makes a request to an Attribute Authority, the message contains the user attributes that the requester wants to retrieve. The message also contains the Name ID and the Issuer of the request. The Attribute Service uses the NameID to disambiguate the user so it knows what values to return for the requested attributes. The Attribute Service returns a response message that includes an attribute assertion that is wrapped in a SOAP message. This response includes the user attributes.

Note: The user does not need to be authenticated at the Attribute Authority. Also, there is no need for a single sign-on relationship between the Authority and the Requester.

SAML Requester

The SAML Requester is a SAML entity that uses the SAML 2.0 Assertion Query/Request profile to request attributes for a user. For CA SiteMinder®, the SAML Requester is not a specific service, but a group of Policy Server features that can produce and process <AttributeQuery> messages. The Requester asks for the user attributes from the Attribute Authority because the protected target resource always resides at the SAML requester. The Requester resolves these attributes into variables that a policy expression uses.

Note: In a CA SiteMinder® federated environment, the SAML Attribute Authority is the Identity Provider and the SAML Requester is the Service Provider. However, this condition does not have to be the case.

To evaluate an authorization request that is based on SAML 2.0 user attributes, add an attribute type named federation attribute variable to a policy expression. The policy protecting the target resource uses this variable. Based on the policy variable, the SAML Requester sends a query message to the Attribute Authority. This query message contains the Name ID for the SAML entity for which the attributes are being requested. The SAML Attribute Authority returns a response message containing assertions with the attribute statements.

A user must have a session at the SAML Requester; however, the user does not have to log in or authenticate at the Attribute Authority.

The following figure shows how an attribute query is processed.

Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack to provide the Federation Web Services application functions. For information about installing and configuring the SPS federation gateway, see the Secure Proxy Server Administration Guide.

Flow Diagram for Authorizing a User with User Attributes

The following flow diagram shows the authorization process with an Attribute Authority.

Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack to provide the Federation Web Services application functions. For information about installing and configuring the SPS federation gateway, see the Secure Proxy Server Administration Guide.

The sequence of a user attribute request is as follows:

1. A user accesses a protected resource. The user can log in locally or can be authenticated through a SAML assertion.
2. The Web Agent at the SAML Requester calls the local Policy Server determine whether the user is authorized to access the resource. The policy that protects the resource uses a policy expression for authorization with a federated attribute variable.
3. The Policy Server tries to resolve these variables but cannot. The Policy Server looks up the user in the local user store to obtain the NameID of the user.
4. An attribute query is sent to the AttributeService URL at the Attribute Authority. The AttributeQuery contains the users NameID and the requested attributes.
5. The Attribute Authority returns a SAML response containing an assertion with the requested attributes.
6. The SAML Requester completes the resolution of variables and then evaluates the policy expression.
7. An authorization status message is returned to the Web Agent.
8. Depending on the authorization status, the Web Agent allows or denies access to the requested resource.

How to Configure an Attribute Authority and a SAML Requester

In a CA SiteMinder® context, the Attribute Authority is the Identity Provider.

To configure CA SiteMinder® to act as a SAML Attribute Authority

1. Define a search specification for locating a user. Enter the NameID into the search specification.
2. Configure the back channel across which the Authority sends the response to a query.
3. Define the attributes that are returned in response to a query.
4. Grant users access to the attribute authority service.

In a CA SiteMinder® context, the SAML Requester is the Service Provider.

To configure CA SiteMinder® as a SAML Requester

1. Enable the attribute query functionality.
2. Configure the back channel across which the Requester receives the response from the Authority.
3. Define the list of attributes requested in the attribute query.
4. Configure the federation attribute variables.
5. Configure the NameID for inclusion in the attribute query.

Set up the Attribute Authority

In a CA SiteMinder® context, the Attribute Authority is the Identity Provider with the Attribute Authority service enabled.

Note: You do not need to configure other Identity Provider features, such as single sign-on to have the Identity Provider act as an Attribute Authority.

To configure an Attribute Authority

1. Log on to the Administrative UI.
2. Navigate to the Service Provider object that represents the SAML Requester. The SAML Requester requests the user attributes.
3. Select Modify.

   The SAML Service Provider page opens.

4. Select the Attributes tab.
5. In the Attribute Svc section, select Enable. This check box enables the Attribute Authority feature.
6. (Optional) Modify the value of the Validity Duration. You can accept the default of 60 seconds.

   Modify this setting only if you want the assertion to be valid for longer than 60 seconds.

   Note: Click Help for the field descriptions.

7. (Optional) Configure one or both of the signing settings. Neither setting is required.

   Require Signed Attribute Query

   Select this option if you want to the Attribute Authority to accept only signed queries from the SAML Requester.

   Signing Options

   Select one of the options to sign the attribute assertion, the SAML response, both, or neither when they are returned to the SAML Requester.

8. In the User Lookup section, specify a search specification for the namespace you want to use.

   Enter a namespace attribute that the authentication scheme uses as a search string.

   Use %s in the entry as the variable that represents the NameID. For example, the NameID has a value of user1. If you specify Username=%s in the Search Specification field, the resulting string is Username=user1. This string is verified against the user store to find the correct record for authentication.

9. In the Backchannel section, complete the following fields:
   • Password
   • Confirm Password

   If you configured SAML 2.0 artifact authentication, you have already configured a password for the back channel. This password can be used for both SSO and the Attribute Authority Service.

10. Click Submit to save your changes.
11. Go to Configure the Attributes at the Attribute Authority.

Configure Attributes at the Attribute Authority

Indicate whether the attribute you are configuring is part of a single sign-on request, or an attribute query request. The Retrieval Method field in the SAML Service Provider Attribute dialog determines the attributes function.

To use the same attribute for both services, create two attribute statements that use the same Attribute name and variable. One attribute uses SSO as the retrieval method and one uses Attribute Services as the retrieval method.

To configure an attribute

1. Configure Attributes for SSO Assertions.

   The configuration process for configuring attributes at the Attribute Authority is the same for configuring attributes for single sign-on assertions.

2. Navigate to the Attributes dialog for the Service Provider object that represents the SAML Requester.
3. From the Attributes dialog, select Add in the Attribute section.

   The Add Attribute page displays.

4. Select Attribute Service for the Retrieval Method field in the Attribute Setup section of the page.

   If an attribute query requests this attribute, selecting Attribute Service as the Retrieval Method marks the attribute for inclusion in the attribute assertion.

Grant Relying Partners Access to the Attribute Authority Service

For the Attribute Authority Service to respond to requests, you must give the relying partners access to the service. This is a two-step process:

1. Add a Web Agent to the Federation Agent Group
2. Add Relying Partners to the Polciy for the Attribute Authority Service.

Add a Web Agent to the Federation Agent Group

Add the Web Agent that protects the FWS application to the Agent group FederationWebServicesAgentGroup.

• For ServletExec, this Agent is on the web server where the Web Agent Option Pack is installed.
• For an application server, such as WebLogic or JBOSS, this Web Agent is installed where the application server proxy is installed. The Web Agent Option Pack can be on a different system.

Follow these steps:

1. Log in to the Administrative UI.
2. Select Infrastructure, Agents, Create Agent.
3. Specify the name of the Web Agent in your deployment. Click Submit.
4. Select Infrastructure, Agent Groups.
5. Select the FederationWebServicesAgentGroup entry.

   The Agent Groups dialog opens.

6. Click Add/Remove and the Agent Group Members dialog opens.
7. Move the web agent from the Available Members list to the Selected Members list.
8. Click OK to return to the Agent Groups dialog.
9. Click Submit then click Close to return to the main page.

Add Relying Partners to the Policy for the Attribute Authority Service

If you are implementing authorizations with an Attribute Authority, the relying party in the partnership needs permission to access the attribute authority service. CA SiteMinder® protects the SAML 2.0 attribute authority with a policy.

When you install the Policy Server, the FederationWebServicesDomain is installed by default. This domain includes the SAML2FWSAttributeServicePolicy for the attribute service.

Grant access for the attribute service policy to any relevant relying partners.

Follow these steps:

1. In the Administrative UI, navigate to Policies, Domain, Domain Policies.

   A list of domain policies displays.

2. Select the SAML2FWSAttributeServicePolicy.

   The Domain Policies page opens.

3. Click Modify to change the policy.
4. Select the Users tab.
5. In the dialog for the SAML2FederationCustomUserStore user directory, click Add Members.

   The User/Groups page opens.

   The affiliate domain that you previously configured is listed in the Users/Groups dialog. For example, if the affiliate domain is named fedpartners, the entry is affiliate:fedpartners.

6. Select the check box next to the affiliate domain with the partners that require access to the service. Click OK.

   You return to the User Directories list.

7. Click Submit.

   You return to the policies list.

The necessary relying partners now have access to the attribute authority service.

How to Set up a SAML Requester to Generate Attribute Queries

For a CA SiteMinder® Service Provider to act as a SAML Requester, configure a SAML 2.0 authentication scheme so that an attribute query can be generated. Complete this configuration at the Service Provider site.

Follow these steps:

1. Log on to the Administrative UI
2. Navigate to a SAML 2.0 authentication scheme configuration.
3. Enable attribute queries and specify attributes.
4. Configure a Name ID for the attribute query.
5. Configure the back channel for the attribute query.
6. Configure a federation attribute variable.
7. Create a policy expression with the federation attribute variable.

Each step is detailed in the following sections.

Enable Attribute Queries and Specify Attributes

For a SAML requester to generate attribute queries, enable the attribute query functionality.

Follow these steps:

1. Log on to the Administrative UI.
2. Access the authentication configuration for the SAML 2.0 authentication scheme.
3. Select the Attributes tab.
4. In the Attribute Query section, select Enabled.
5. (Optional) Select the following check boxes:
   • Sign Attribute Query
   • Require Signed Assertions
   • Get All Attributes
6. Enter a value for the Attribute Service field.
7. In the Attributes section of the page, click Add.

   The Add Attributes page opens.

8. Enter values for the fields on the page.
9. Click OK to save your changes.

   You return to the Attributes page.

10. Configure the NameID. This NameID is included in the attribute query for use by the Attribute Authority.

Configure the NameID for the Attribute Query

A query message sent to the Attribute Authority includes the Name ID of the user whose attributes it is requesting. The Name ID configuration specifies how the SAML Requester obtains the Name ID. The requester then places the Name ID in the attribute query.

To specify a Name ID

1. Navigate to the Attributes dialog for the SAML Requester authentication scheme.
2. In the Name IDs section of the page, define the following settings:
   • Name ID Format
   • Name ID Type
   • Name ID Fields

   Click Help for the field descriptions.

3. Click OK to save your changes.
4. If the back channel is not already configured, configure it.

Configure the Backchannel for the Attribute Query

The attribute query is sent across a secure back channel to the Attribute Authority.

Only one back channel is available between the Service Provider and the Identity Provider. Therefore, the back channel configuration for the attribute query is the same back channel configuration that is used for the SAML artifact profile.

To configure the back channel

1. Navigate to the authentication scheme page for the SAML requester.
2. Click the Encryption & Signing tab.
3. In the Backchannel section, complete the following fields:
   • Authentication
   • SP Name
   • Password
   • Confirm Password

   Click Help for the field descriptions.

4. Click OK.

Create a Federation Attribute Variable

To use a federation attribute variable in a policy expression, first create the attribute variable.

To define a federation attribute variable

1. Navigate to Policies, Domain, Variables.

   The Variables dialog opens.

2. Select Create Variable.

   The first step of the configuration wizard displays the Domain section.

3. Select the federation policy domain where you plan to add the variable and click Next.
4. In the Define Variables step, complete the two fields in the General section.

   Name

   Identifies the variable.

   Variable Type

   Federation Attribute

5. Complete the fields in the Definition section.

   Click Help for the field descriptions.

6. Click Finish to save the variable.
7. Add this variable to a policy expression. The policy that protects a federated resource uses the policy expression.

Note: A policy expression can use multiple federation attribute variables; each variable is tied to a SAML 2.0 authentication scheme. Therefore, a single expression can result in many attribute requests sent to many Attribute Authorities.

Create a Policy Expression with the Federation Attribute Variable

To use a federation attribute variable as part of the authorization process, add the attribute variable to a policy expression. Associate this policy expression with the policy protecting the target resource at the SAML requester.

For information on creating a policy expression, see the Policies chapter in the Policy Server Configuration Guide.