Federation Guides › Partnership Federation Guide › Application Integration at the Relying Party › Using HTTP Headers to Pass Assertion Data (SAML only)

Using HTTP Headers to Pass Assertion Data (SAML only)

For a SAML entity, the Policy Server can use HTTP headers to pass identity attributes from an assertion to a back-end application. A backend application can be a target application for single sign-on or a user provisioning application. The system passes these headers in an encrypted cookie.

The headers have the same name as the assertion attributes. For example, if the assertion attribute is "address", the application looks for the HTTP header "ADDRESS".

Assertion attributes are case-sensitive, but HTTP headers are not. The Policy Server cannot pass the same attributes that differ only by case sensitivity and then map them to HTTP headers. For example, the system cannot pass "address" and "Address" as headers at the same time. In general, do not use the attributes with the same names that are only different because of case sensitivity or format.

The following additional values are passed as headers:

• NAMEID
• FORMAT
• AUTHNCONTEXT

Protecting HTTP Headers

If an unauthorized user knows the name of an assertion attribute, that user can set this name as a header in a browser. With the header set, the malicious user can gain access to the target application. The target application sees an expected header value and grants access to the resource without CA SiteMinder® consuming an assertion.

Setting a value for the FedHeaderPrefix protects against the following scenario:

1. An unauthorized user learns the names of HTTP headers. These header names include prefixes.
2. The malicious user sends an incoming request, including the headers, to the Policy Server.
3. The Policy Server recognizes that the headers containing prefixes come from an incoming request and are not generated internally so it removes these headers.
4. Before the system passes its own legitimate headers to the back-end application, it adds the specified prefix to each header. The headers are then passed to the application.

Configure HTTP Headers to Pass Assertion Data (SAML only)

CA SiteMinder® can pass assertion data using HTTP headers.

Follow these steps:

1. Verify that the CA SiteMinder® web agent is installed on the relying party system that is handling federation traffic.
2. Navigate to web_agent_home/conf and modify the WebAgent.conf file. Uncomment the following entry so it appears as follows:

   Windows

   LoadPlugin="path\SAMLDataPlugin.dll"

   UNIX

   LoadPlugin="path/SAMLDataPlugin.so"

3. (Optional but recommended) Add the setting fedheaderprefix setting to the appropriate Agent Configuration Object for the web agent. Enter any string as a prefix.

   The fedheaderprefix setting specifies a global prefix that CA SiteMinder® adds to HTTP headers. Setting a prefix protects HTTP headers against manipulation by an unauthorized user before the CA SiteMinder® consumes an assertion. As a result, only legitimate headers get passed to the target application. Read more about protecting HTTP headers.

4. Do one of the following tasks in the Application Integration step of the partnership wizard:
   • Select HTTP Headers as the Redirect Mode for the target application.
   • Select HTTP Headers as the Delivery Option for user provisioning.

HTTP headers are now configured to pass attribute data.