Previous Topic: Using HTTP Headers to Pass Assertion Data (SAML only)Next Topic: User Provisioning at the Relying Party


Mapping Assertion Attributes to Application Attributes (SAML only)

At a SAML 1.1 consumer or SAML 2.0 SP, you can map a set of assertion attributes to a set of outgoing application attributes. The application attributes are then delivered to the target application. Attribute mapping allows you to provide a customized experience for users without having to modify the target application. Attributes are mapped on a per-partnership basis, which allows you to use a relying party-side application for multiple asserting parties.

The following types of mapping are available:

Using the Application Attributes Definitions Table

You define attribute mapping rules in the Application Attributes Definitions table of the Application Integration dialog. This table is shown in the following figure:

Application Attribute Definitions Table

The Application Attribute and Assertion Attribute(s) columns are populated using assertion attributes for the remote Producer or IdP entity. You configure these attributes at this local relying party. The assertion attribute name is entered for the Application Attribute column. The equivalent Unified Expression Language (UEL) string is entered in the Assertion Attribute(s) column.

Administrators or application integrators at the relying party must know the following information to configure attribute mapping:

Gather the names of the application and assertion attributes from the necessary parties before setting up attribute mapping.

The application attributes must reflect the attributes that the target application uses so you must modify the default values to suit the application. You obtain the application attributes from an out-of-band communication with the application administrator.

Use the Expression Builder to Build Mapping Rules

The UI provides an expression builder to aid in the construction of mapping rules. Access the expression builder by selecting the slider button (<<) to the right of the Assertion Attribute(s) field. The slider button reveals a blank field and pull-down arrow. Select the arrow to see a list of assertion attributes and special characters that you can use to compose a mapping. Click the slider button (>>) to hide the expression builder.

The following figure shows the Expression Builder menu.

Special Characters Menu for Attribute Mapping

The Assertion Attributes list from the expression builder is populated from assertion attributes for the remote Producer or IdP entity. You configure these attributes at this local relying party. You can specify entries manually as long as you know that the attribute is in the assertion. You do not have to use only the options from the expression builder menu.

The Special Characters list contains characters, such as commas and percent signs that you can use to build a mapping rule. You can select a character from the list or you can enter the character manually.

Important! When you enter assertion attributes in this table, they are case-sensitive relative to the assertion attribute specified at the remote asserting party. The cases must match. If CA SiteMinder® is at both sides of the partnership, the attributes are specified in the NameID and Attributes step of the remote IdP partnership wizard. Obtain the assertion attributes in an out-of-band communication with the partner or by importing metadata.

After the mapping rules are defined, CA SiteMinder® places the data in a legacy cookie, an open format cookie, or an HTTP header. CA SiteMinder® then sends the data to the application. You specify the delivery method in the Target Application section of the Application Integration dialog.

Modify and Delete Mappings

You can change or remove attribute mappings in the Application Attributes Definitions table at any time.

To modify a mapping

  1. Place your cursor in any of the fields in the row you want to modify and enter the new text. You can also use the expression builder to append additional values to the end of the current expression.
  2. Save the change by clicking Next to advance to the end of the wizard.

To delete a mapping

  1. Click the trash barrel in the Delete column for the entry you want to remove.
  2. Save the change by clicking Next to advance to the end of the wizard.
Construct Attribute Mapping Rules Using the Proper Syntax

Attribute mapping uses mapping rules that transform assertion attributes to application attributes. When you enable attribute mapping, CA SiteMinder® generates default mapping rules. The rules are based on the assertion attributes specified for the remote Producer or IdP entity. All this configuration takes place at the local relying party. When you disable attribute mapping, assertion attributes are passed "as is" to the target application.

CA SiteMinder® uses a Unified Expression Language (UEL) syntax for mapping that is similar to JSP and JSF. Each assertion attribute is put into a hashmap and assigned the attr keyword. A UEL expression evaluator goes through the list of mapping rules and applies them to the hashmap of assertion attributes. The expression evaluator then generates another hashmap containing the resulting application attributes. The hashmap of outgoing application attributes is converted into cookie contents or header variables and delivered to the target application.

To construct expressions, it is important to understand the syntax CA SiteMinder® uses for the expressions.

Single Attribute Representation

To represent a single assertion attribute, use the following syntax:

#{attr["attribute_name"]}

Example: #{attr["Name"]} represents the value of the Name assertion attribute.

Composite Attribute Representation

Value expressions can be concatenated to form a composite value (with optional delimiter). To represent a composite assertion attribute, use the following syntax:

#{attr["first_attribute"]}optional_character #{attr["second_attribute"]}

Mapping Examples

The following examples are a series of mapping rules. These examples are presented in the following format:

application_attribute=assertion_attributes_expression

Name Example

Syntax

ID = #{attr["Name"]}

Sample Result

BobSmith

Simple Concatenation Examples

Syntax

FullName = #{attr["FirstName"]},#{attr["LastName"]}

Sample Result

Bob,Smith

Syntax

FullName = #{attr["LastName"]},#{attr["FirstName"]}

Sample Result

Smith,Bob

Spaces are considered special characters. If you want a space between attributes in an expression, enter a space. For example:

Syntax

FullName = #{attr["LastName"]}, #{attr["FirstName"]}

Sample Result

Smith, Bob

Date Examples

Syntax

Date = #{attr["month"]}/#{attr["dateOfMonth"]}/#{attr["year"]}

Sample Result

01/05/2010

Syntax

Date = #{attr["monthSymbol"]} #{attr["dateOfMonth"]}, #{attr["year"]}

Sample Result

January 5, 2012

Monetary Example

Syntax

Price = #{attr["amount"]}#{attr["currency"]}

Sample Result

2.50EUR

Email Address Examples

Syntax

EmailAddress = #{attr["userName"]}@#{attr["domainName"]}

Sample Result

JaneDoe@company.com

Syntax

AcmeEmailAddress = #{attr["AcmeIDKey"]}@acme.com

Sample Result

bsmith@acme.com

Configure Attribute Mapping at the Relying Party

Define a set of mapping rules that CA SiteMinder® can apply to the assertion attributes. CA SiteMinder® lets you map a specific assertion attribute or a combination of several application attributes. The result of the mapping can be a single application attribute or multiple attributes.

Follow these steps:

  1. Navigate to the Application Integration step in the partnership wizard.
  2. Select the Enable Attribute Mapping check box in the Map to Application Attribute section.

    An Application Attribute Definitions table displays.

  3. Modify any existing application attribute or define new ones in the table. All application attributes are delivered to the target application.

    The syntax of the value in the Assertion Attribute column must comply with Unified Expression Language (UEL).

    Select the slider button (<<) to open the expression builder and display the options available to you. To add the item from the list to the attribute value, select the assertion or special character and click Append.

    Note: When you specify Cookie Data and any special character in the Application Attributes Table, select the URL Encode Attribute Cookie Data option. The check box is in the Target Application section of the dialog. Special characters can be added from the drop-down list or entered manually. Additionally, the target application must URL decodes the name and value of the application attribute received.

  4. (Optional) If the default mappings are not sufficient, add as many rows as you like.

    By default, all assertion attributes defined at the remote Producer or IdP entity are included in the table with the default (straight) mappings. The original assertion attribute is not changed. You can modify these mappings.

  5. Configure the method by which the application attributes are sent to the target application. You configure the method in the Target Application section of the Application Integration dialog.

Attribute mapping configuration is complete.