Previous Topic: How to Retrieve User Attribute Values from a Third-Party SourceNext Topic: Enhanced Client or Proxy Profile Overview (SAML 2.0)


User Consent at a SAML 2.0 IdP

A CA SiteMinder® Identity Provider supports the user consent feature for SAML 2.0. User consent requires that the Identity Provider asks the user to grant permission before it sends an assertion to a partner. If you enable user consent at the Identity Provider, CA SiteMinder® prompts the user for consent. The Identity Provider passes the consent value in an assertion.

The consent validity period is 5 minutes. When the Identity Provider redirects the user to the consent page, the user has 5 minutes to grant consent and be redirected back to the Identity Provider. The Identity Provider then generates the assertion and sends it to the Service Provider. These tasks must be complete in the 5-minute time period. If the time expires before the Identity Provider generates an assertion, it does not pass on the user identity.

Consent applies only to a single assertion. After the Identity Provider generates an assertion, it deletes all record of consent being granted. The same user can return to an Identity Provider before the 5-minute validity period expires, but the Identity Provider still prompts the user for consent.

Note: The validity period is not configurable.

Example

User1 logs in and authenticates at MyWorkPlace.com at 2:00PM. MyWorkPlace is acting as an Identity Provider. At 2:03PM, the user selects a link to the partner company that runs travel specials for employees. User1 is redirected to a form that asks for consent before sending User1 to ExampleTravel.com. User1 takes a phone call before completing the consent form. The time is now 2:10PM. MyWorkPlace does not generate an assertion because the validity period has expired.

If User1 grants consent promptly and is redirected back to the Identity Provider by 2:05PM, the Identity Provider generates an assertion. Only 2 minutes pass between consent and assertion generation, so the validity period is still active.

Configuring user consent requires that you:

If the Identity Provider includes a user consent attribute in the assertion response, only the following URI is used:

urn:oasis:names:tc:SAML:2.0:consent:obtained

User consent is also configurable at the Service Provider. A Service Provider can require the Identity Provider to pass the user consent value in the assertion response.

Customize a User Consent Form

CA SiteMinder® ships with a consent to federate form named ca_defaultconsentform.html. The Identity Provider sends the custom form to the user to get consent. The default consent form is in the directory %NETE_WA_ROOT%\customization. %NETE_WA_ROOT% is the location of the Web Agent Option Pack.

You can write a custom form instead of using the default consent form and specifying the form in the Administrative UI.

Follow these steps:

  1. Create the custom HTML form. Modify the form and replace values for the following settings:
    $$userconsent_spid$$

    Represents the SP ID configured in the partnership

    $$userconsent_idpid$$

    Represents the IDP ID configured in the partnership.

  2. Place the form in the directory %NETE_WA_ROOT%\customization.

    NETE_WA_ROOT is the system environment variable. %NETE_WA_ROOT% is the location of the Web Agent Option Pack. If the Web Agent and Web Agent Option Pack are installed on the same system, they are installed in the same directory, for example, webagent\customization.

  3. Log in to the Administrative UI.
  4. Navigate to Federation, Partnership Federation, Partnerships.
  5. Select the IdP->SP partnership you want to modify.
  6. Navigate to the SSO and SLO step in the partnership wizard.
  7. In the SSO section:
    1. Select the Enable User Consent check box.
    2. Specify the name of the custom form in the User Consent Post Form field.

    Note: The User Consent Service URL is specified by default. You cannot change this value.

  8. Navigate to the Confirm step when your configuration is complete and click Finish.