Previous Topic: Back Channel Authentication for Artifact SSONext Topic: Retrieve User Attribute Values from a Third-Party (SAML 2.0)


SAML 2.0 Attribute Query Support

A CA SiteMinder® IdP supports the SAML 2.0 Assertion Query/Request profile and can respond to attribute queries. The IdP also extends the profile functionality by accepting queries for attributes not in the assertion or in the metadata. When the IdP receives an attribute query, the IdP first checks its user directory to find the attributes. If the attributes are not found, the Policy Server checks the session store. The session store can hold attributes from external Identity Providers, attributes collected from advanced authentication schemes, and other sources.

Note: Only the CA SiteMinder® IdP supports the query profile. A CA SiteMinder® SP as an attribute requester is only supported for the proxied attribute query feature.

The IdP has all the user attributes that an SP can request in its metadata. An SP can obtain these attributes in two ways:

In addition to the attributes in the metadata, an SP can require attributes that are not in the assertion or in the metadata. To retrieve other attributes, the SP sends an attribute query to the IdP.

The query request profile employs two entities:

A CA SiteMinder® IdP can only act as an Attribute Authority. A CA SiteMinder® SP cannot be the Attribute Requester.

The following graphic shows the configuration steps for an Attribute Authority.

Attribute query configuration tasks at the IdP

Complete the the following steps:

If CA SiteMinder® is at both sides of the partnership, you cannot use the Assertion Query/Response profile.

Configure the Partnership for Attribute Query Support

For the IdP to respond to attribute queries, an IdP-to-SP partnership must exist. You can create a partnership or modify an existing partnership.

The steps for creating a partnership include:

  1. Create the SAML 2.0 IdP and SP entities.
  2. Configure a connection to a user directory for the partnership.
  3. Create a SAML 2.0 IdP-to-SP partnership.
  4. Configure a SAML 2.0 Attribute Authority.

These steps are detailed throughout this guide.

Configure the SAML 2.0 Attribute Authority

You can configure an IdP to serve as an Attribute Authority.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Select Federation, Partnership Federation, Partnerships.
  3. Select the IdP-to-SP partnership that you want to modify or create a new one.
  4. Navigate to the SSO and SLO step of the partnership wizard.
  5. Select Enable in the Attribute Service section of the dialog.
  6. Enter a number of seconds for the Validity Duration.
  7. (Optional) Specify whether to require that the attribute query is signed, and the signing requirements for attribute assertions and responses.
  8. Enter the search specifications for the appropriate user directory name space in the User Lookup section. The Attribute Authority uses this search specification to disambiguate the user.

    An example for an LDAP user directory is uid=%s. At least one search specification is required.

  9. (Optional) Specify Partnership as the Protection Type in the Back Channel section. Select an authentication method. For more information about the back channel, click Help.
  10. Save and activate the partnership.

The Identity Provider is now set up to serve as an Attribute Authority. This authority can now respond to attribute queries from a third-party SP.