Previous Topic: Configure Attributes to Include in SAML 1.x Assertions (Optional)Next Topic: Creating Links to Consumer Resources for Single Sign-on


Customize a SAML Assertion Response (optional)

You can modify the assertion content using an assertion generator plug-in. The plug-in enables you to customize the content of an assertion using the business agreements between you and your partners and vendors. One plug-in is allowed for each partner.

The steps to configure an assertion generator plug-in are:

  1. Install the CA SiteMinder® SDK, if you have not done so already.
  2. Implement the AssertionGeneratorPlugin.java interface, which is part of the SDK.
  3. Deploy your assertion generator plug-in implementation class.
  4. Enable the assertion generator plug-in parameters in the Administrative UI.

Additional information about the Assertion Generator plug-in can be found as follows:

Implement the AssertionGeneratorPlugin Interface

The first step in creating a custom assertion generator plug-in is to implement the AssertionGeneratorPlugin interface.

Follow these steps:

  1. Provide a public default constructor method that contains no parameters.
  2. Provide code so that the implementation is stateless. Many threads must be able to use a single plug-in class.
  3. Implement methods in the interface to satisfy your requirements.

The implementation must include a call to the customizeAssertion methods. You can overwrite the existing implementations. See the following sample classes for examples:

SAML 1.x/WS-Federation

AssertionSample.java

SAML 2.0

SAML2AssertionSample.java

The sample classes are located in the directory /sdk/samples/assertiongeneratorplugin.

Note: The contents of the parameter string that your implementation passes into the customizeAssertion method is the responsibility of the custom object.

Deploy the Assertion Generator Plug-in

After you have coded your implementation class for the AssertionGeneratorPlugin interface, compile it and verify that CA SiteMinder® can find your executable file.

To deploy the assertion generator plug-in

  1. Compile the assertion plug-in Java file.

    Compilation requires the following .jar files, which are installed with the Policy Server:

  2. In the JVMOptions.txt file, modify the -Djava.class.path value so it includes the classpath for the plug-in. This modification enables the plug-in to be loaded with the modified classpath. Locate the JVMOptions.txt file in the directory installation_home\siteminder\config.

    Note: Do not modify the classpath for xercesImpl.jar, xalan.jar, or SMJavaApi.jar.

  3. Enable the plug-in.
Enable the Assertion Generator Plug-in

After writing an assertion generator plug-in and compiling it, enable the plug-in by configuring settings in the Administrative UI. The UI parameters let CA SiteMinder® know where to find the plug-in.

Do not configure the plug-in settings until you deploy the plug-in.

Follow these steps:

  1. Log on to the Administrative UI.
  2. Click Federation, Legacy Federation, Affiliates.
  3. Select an existing Affiliate entry or create one.
  4. Navigate to the General settings.
  5. In the Assertion Generator Plug-in section, complete the following fields:
    Java Class Name

    Specifies a Java class name for an existing plug-in.

    The plug-in class can parse and modify the assertion, and then return the result to the Assertion Generator for final processing.

    Only one plug-in is allowed for each Affiliate. For example, com.mycompany.assertiongenerator.AssertionSample

    Parameter

    (Optional) Specifies a string of parameters that is passed to the plug-in specified in the Java Class Name field.

    Note: Instead of enabling the assertion plug-in in the Administrative UI, you can use the Policy Management API (C or Perl) to integrate the plug-in. For more information, see the CA SiteMinder® Programming Guide for C or the CA SiteMinder® Programming Guide for Java.

  6. Restart the Policy Server.

    Restarting the Policy Server picks up the latest version of the assertion plug-in after being recompiled.