You can include attributes in assertions. Servlets or applications can use attributes to display customized content for a user. User attributes, DN attributes, or static data can all be passed from the producer to the consumer in an assertion. When used with web applications, attributes can limit the activities of a user at the consumer. For example, the producer sends an attribute named Authorized Amount. The consumer sets this attribute to a maximum dollar amount that the user can spend.
Attributes take the form of name/value pairs and include information, such as a mailing address, business title, or an approved spending limit for transactions. When the consumer receives the assertion, it extracts the attributes. The consumer makes the attributes available to applications as HTTP header variables or HTTP cookie variables.
To pass the attributes, configure a response. The responses available for this purpose are:
The HTTP headers and HTTP cookies have size restrictions that assertion attributes cannot exceed. The size restrictions are as follows:
You can configure responses to pass attributes from a SAML assertion to a target application at the consumer site.
To configure an attribute for an assertion
The Add Attribute dialog opens.
Click Help for the field descriptions.
Your selection determines the available fields in the Attribute Fields section.
Static
Fill in the following fields:
Enter the name for the attribute CA SiteMinder® returns to the affiliate.
Enter the static text as the value for the name/value pair.
For example, to return the name/value pair show_content=yes, enter show_content as the variable name and yes as the variable value.
User Attribute
Fill in the following fields:
Enter the name for the attribute CA SiteMinder® returns to the consumer.
Enter the attribute in the user directory for the name/value pair.
For example, to return the email address of a user to the consumer, enter email_address as the Variable Name, and email as the Attribute Name.
DN Attribute
Fill in the following fields:
Enter the name for the attribute CA SiteMinder® returns to the consumer.
Enter the distinguished name of the user group from which CA SiteMinder® retrieves the user attribute. The DN value is returned to the consumer. If you do not know the DN, click Lookup. Use the CA SiteMinder® User Lookup dialog to locate the user group and select a DN.
Enter the attribute in the user directory for this attribute for the name/value pair.
If you selected Affiliate-HTTP-Cookie-Variable from the Attribute menu, the Variable Name field label changes to Cookie Name.
The maximum length for user assertion attributes is configurable. To modify the maximum length of assertion attributes, change the settings in the EntitlementGenerator.properties file.
The property name in the file is specific to the protocol you are configuring.
Follow these steps:
WS-Federation
Property Name: com.netegrity.assertiongenerator.wsfed.MaxUserAttributeLength
Property Type: Positive Integer value
Default Value: 1024
Description: Indicates the maximum attribute length for WS-FED assertion attributes.
SAML 1.x
Property Name: com.netegrity.assertiongenerator.saml1.MaxUserAttributeLength
Property Type: Positive Integer value
Default Value: 1024
Description: Indicates the maximum attribute length for SAML1.1 assertion attributes.
SAML 2.0
Property Name: com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength
Property Type: Positive Integer value
Default Value: 1024
Description: Indicates the maximum attribute length for SAML2.0 assertion attributes
The Advanced section of the Add Attribute page contains the Script field. This field displays the script that CA SiteMinder® generates based on your entries in the Attribute Setup section. You can copy the contents of this field and paste them into the Script field for another response attribute.
Note: If you copy the contents of the Script field to another attribute, select the appropriate option button in the Attribute Kind group.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|