At a SAML 1.1 consumer or SAML 2.0 SP, you can map a set of assertion attributes to a set of outgoing application attributes. The application attributes are then delivered to the target application. Attribute mapping allows you to provide a customized experience for users without having to modify the target application. Attributes are mapped on a per-partnership basis, which allows you to use a relying party-side application for multiple asserting parties.
The following types of mapping are available:
Example
An incoming assertion attribute can be Region=US. The attribute can be converted to an outgoing application attribute ServiceLocation=US.
Example
Two attributes are included in the assertion, Name=Bob and LastName=Smith. These two attributes can be converted to FullName =Bob Smith.
You define attribute mapping rules in the Application Attributes Definitions table of the Application Integration dialog. This table is shown in the following figure:
The Application Attribute and Assertion Attribute(s) columns are populated using assertion attributes for the remote Producer or IdP entity. You configure these attributes at this local relying party. The assertion attribute name is entered for the Application Attribute column. The equivalent Unified Expression Language (UEL) string is entered in the Assertion Attribute(s) column.
Administrators or application integrators at the relying party must know the following information to configure attribute mapping:
Gather the names of the application and assertion attributes from the necessary parties before setting up attribute mapping.
The application attributes must reflect the attributes that the target application uses so you must modify the default values to suit the application. You obtain the application attributes from an out-of-band communication with the application administrator.
Use the Expression Builder to Build Mapping Rules
The UI provides an expression builder to aid in the construction of mapping rules. Access the expression builder by selecting the slider button (<<) to the right of the Assertion Attribute(s) field. The slider button reveals a blank field and pull-down arrow. Select the arrow to see a list of assertion attributes and special characters that you can use to compose a mapping. Click the slider button (>>) to hide the expression builder.
The following figure shows the Expression Builder menu.
The Assertion Attributes list from the expression builder is populated from assertion attributes for the remote Producer or IdP entity. You configure these attributes at this local relying party. You can specify entries manually as long as you know that the attribute is in the assertion. You do not have to use only the options from the expression builder menu.
The Special Characters list contains characters, such as commas and percent signs that you can use to build a mapping rule. You can select a character from the list or you can enter the character manually.
Important! When you enter assertion attributes in this table, they are case-sensitive relative to the assertion attribute specified at the remote asserting party. The cases must match. If CA SiteMinder® is at both sides of the partnership, the attributes are specified in the NameID and Attributes step of the remote IdP partnership wizard. Obtain the assertion attributes in an out-of-band communication with the partner or by importing metadata.
After the mapping rules are defined, CA SiteMinder® places the data in a legacy cookie, an open format cookie, or an HTTP header. CA SiteMinder® then sends the data to the application. You specify the delivery method in the Target Application section of the Application Integration dialog.
You can change or remove attribute mappings in the Application Attributes Definitions table at any time.
To modify a mapping
To delete a mapping
Attribute mapping uses mapping rules that transform assertion attributes to application attributes. When you enable attribute mapping, CA SiteMinder® generates default mapping rules. The rules are based on the assertion attributes specified for the remote Producer or IdP entity. All this configuration takes place at the local relying party. When you disable attribute mapping, assertion attributes are passed "as is" to the target application.
CA SiteMinder® uses a Unified Expression Language (UEL) syntax for mapping that is similar to JSP and JSF. Each assertion attribute is put into a hashmap and assigned the attr keyword. A UEL expression evaluator goes through the list of mapping rules and applies them to the hashmap of assertion attributes. The expression evaluator then generates another hashmap containing the resulting application attributes. The hashmap of outgoing application attributes is converted into cookie contents or header variables and delivered to the target application.
To construct expressions, it is important to understand the syntax CA SiteMinder® uses for the expressions.
Single Attribute Representation
To represent a single assertion attribute, use the following syntax:
#{attr["attribute_name"]}
Example: #{attr["Name"]} represents the value of the Name assertion attribute.
Composite Attribute Representation
Value expressions can be concatenated to form a composite value (with optional delimiter). To represent a composite assertion attribute, use the following syntax:
#{attr["first_attribute"]}optional_character #{attr["second_attribute"]}
Mapping Examples
The following examples are a series of mapping rules. These examples are presented in the following format:
application_attribute=assertion_attributes_expression
Name Example
ID = #{attr["Name"]}
BobSmith
Simple Concatenation Examples
FullName = #{attr["FirstName"]},#{attr["LastName"]}
Bob,Smith
FullName = #{attr["LastName"]},#{attr["FirstName"]}
Smith,Bob
Spaces are considered special characters. If you want a space between attributes in an expression, enter a space. For example:
FullName = #{attr["LastName"]}, #{attr["FirstName"]}
Smith, Bob
Date Examples
Date = #{attr["month"]}/#{attr["dateOfMonth"]}/#{attr["year"]}
01/05/2010
Date = #{attr["monthSymbol"]} #{attr["dateOfMonth"]}, #{attr["year"]}
January 5, 2012
Monetary Example
Price = #{attr["amount"]}#{attr["currency"]}
2.50EUR
Email Address Examples
EmailAddress = #{attr["userName"]}@#{attr["domainName"]}
JaneDoe@company.com
AcmeEmailAddress = #{attr["AcmeIDKey"]}@acme.com
bsmith@acme.com
Define a set of mapping rules that CA SiteMinder® can apply to the assertion attributes. CA SiteMinder® lets you map a specific assertion attribute or a combination of several application attributes. The result of the mapping can be a single application attribute or multiple attributes.
Follow these steps:
An Application Attribute Definitions table displays.
The syntax of the value in the Assertion Attribute column must comply with Unified Expression Language (UEL).
Select the slider button (<<) to open the expression builder and display the options available to you. To add the item from the list to the attribute value, select the assertion or special character and click Append.
Note: When you specify Cookie Data and any special character in the Application Attributes Table, select the URL Encode Attribute Cookie Data option. The check box is in the Target Application section of the dialog. Special characters can be added from the drop-down list or entered manually. Additionally, the target application must URL decodes the name and value of the application attribute received.
By default, all assertion attributes defined at the remote Producer or IdP entity are included in the table with the default (straight) mappings. The original assertion attribute is not changed. You can modify these mappings.
Attribute mapping configuration is complete.
Copyright © 2013 CA.
All rights reserved.
|
|