A CA SiteMinder® IdP supports the SAML 2.0 Assertion Query/Request profile and can respond to attribute queries. The IdP also extends the profile functionality by accepting queries for attributes not in the assertion or in the metadata. When the IdP receives an attribute query, the IdP first checks its user directory to find the attributes. If the attributes are not found, the Policy Server checks the session store. The session store can hold attributes from external Identity Providers, attributes collected from advanced authentication schemes, and other sources.
Note: Only the CA SiteMinder® IdP supports the query profile. A CA SiteMinder® SP as an attribute requester is only supported for the proxied attribute query feature.
The IdP has all the user attributes that an SP can request in its metadata. An SP can obtain these attributes in two ways:
The Identity Provider assertion configuration determines the set of attributes included. Defining a subset of all the attributes limits the number of attributes to the most essential, which reduces processing overhead.
In addition to the attributes in the metadata, an SP can require attributes that are not in the assertion or in the metadata. To retrieve other attributes, the SP sends an attribute query to the IdP.
The query request profile employs two entities:
A CA SiteMinder® IdP can only act as an Attribute Authority. A CA SiteMinder® SP cannot be the Attribute Requester.
The following graphic shows the configuration steps for an Attribute Authority.
Complete the the following steps:
If CA SiteMinder® is at both sides of the partnership, you cannot use the Assertion Query/Response profile.
For the IdP to respond to attribute queries, an IdP-to-SP partnership must exist. You can create a partnership or modify an existing partnership.
The steps for creating a partnership include:
These steps are detailed throughout this guide.
You can configure an IdP to serve as an Attribute Authority.
Follow these steps:
An example for an LDAP user directory is uid=%s. At least one search specification is required.
The Identity Provider is now set up to serve as an Attribute Authority. This authority can now respond to attribute queries from a third-party SP.
Copyright © 2014 CA.
All rights reserved.
|
|