Previous Topic: Message-based Authorization Using VariablesNext Topic: Create a Transport Variable

Web Services Security GuidesCA SiteMinder WSS Policy Configuration GuideVariablesVariables OverviewCreate a SAML Assertion Variable

Create a SAML Assertion Variable

SAML Assertion variables let you obtain information from any SAML assertion and use this information in policy expressions to authorize a client. The assertion may be included in a SOAP envelope or HTTP header of an incoming XML message. For example, you can create a variable that enables the Policy Server to check who issued the assertion before permitting access to a web service.

SAML assertion variables are resolved to the value of an XPath string. The string identifies an element (and optionally, an operation to perform on that element) of a SAML assertion.

Note: For more information about XPATH, see the XPATH specification available at http://www.w3.org/TR/xpath.

Follow these steps:

  1. Click Policies, Domain.
  2. Click Variables.
  3. Click Create Variable.

    Verify that the Create a new object of type Variable option is selected.

  4. Click OK.
  5. Select a domain from the list and click Next.
  6. Type the variable name in the Name field.
  7. Select SAML Assertion from the Variable Type list.

    SAML Assertion variable settings open.

  8. Specify the data type in which the value of the specified XPATH query should be returned by choosing one of the following options from the Return Type list:
  9. Type in an XPath query that you want to resolve to the variable value in the Query box.
  10. Optionally, set the SAML Authentication Scheme Required box if the web service is protected by the SAML Session Ticket authentication scheme.
  11. If the web service is not protected by the SAML Session Ticket authentication scheme, specify whether the SiteMinder WSS Agent should look for the SAML assertion in the Envelope Header or HTTP Header by selecting the appropriate SAML Assertion Location option.
  12. Click Finish.

    The variable appears in the Variables tab of the domain. The variable can now be used in policy expressions or responses.