Previous Topic: Federation Release NotesNext Topic: Changes to Existing Features

Release NotesFederation Release NotesNew Features

New Features

This section contains the following topics:

Claims Transformation of Assertion Attributes

Session Store Attributes Available for Assertions

WS-Federation 1.2 Support

WS-Federation Metadata Exchange

SAML 2.0 Attribute Query Support

SAML 2.0 User Attribute Retrieval from a Third-Party Identity Provider

SAML 2.0 Attribute Authority Metadata

Claims Transformation of Assertion Attributes

Claims transformation manipulates claims during a federated single sign-on transaction. Claims, also known as attributes, help customize the attributes and improve the user experience at a partner.

The software can perform three different modifications to assertion attributes:

More information:

How to Configure Claims Transformation at the Asserting Party

Session Store Attributes Available for Assertions

Session attributes can be persisted in the session store after a user is authenticated. From the session store, the system can add the attributes to an assertion to customize the requested application.

More information:

How To Add Session Attributes to an Assertion

WS-Federation 1.2 Support

CA SiteMinder® now supports the WS-Federation 1.2 profile for partnership federation. You can configure single sign-on and sign-out using the WS-Federation profile.

More information:

Product and Configuration Overview

WS-Federation Metadata Exchange

The Policy Server supports the Web Services Metadata Exchange profile for WS-Federation partnerships. This web service enables the CA SiteMinder® local partner to respond to requests from a remote partner for metadata. The exchange occurs as an HTTP request and response.

More information:

How To Enable WS-Federation Metadata Exchange

SAML 2.0 Attribute Query Support

A CA SiteMinder® IdP supports the SAML 2.0 Assertion Query/Request profile and can respond to attribute queries. The IdP also extends the profile functionality by accepting queries for attributes not in the assertion or in the metadata. When the IdP receives an attribute query, the IdP first checks its user directory to find the attributes. If the attributes are not found, the Policy Server checks the session store.

Note: Only the CA SiteMinder® IdP supports the query profile. A CA SiteMinder® SP as the requesting partner only supports the proxied attribute query feature.

SAML 2.0 User Attribute Retrieval from a Third-Party Identity Provider

In a SAML 2.0 federated environment, CA SiteMinder® supports a feature referred to as a proxied attribute query. The proxied attribute query is based on the SAML 2.0 Assertion Query/Request profile.

A proxied query enables the Policy Server to contact a third-party Identity Provider and request values for attributes that are not in its session store. The Policy Server can then pass the attributes back to the application at the Service Provider.

More information:

Retrieve User Attribute Values from a Third-Party (SAML 2.0)

SAML 2.0 Attribute Authority Metadata

When you export metadata from a local SAML 2.0 IdP entity or an IdP-to-SP partnership, the attribute service URL is in the exported metadata. This information is relevant for local IdPs acting as an Attribute Authority, one of the roles necessary for the Attribute Query/Response profile.