Federation Guides › Legacy Federation Guide › Configure CA SiteMinder® as a SAML 1.x Producer › Configure Attributes to Include in SAML 1.x Assertions (Optional)

Configure Attributes to Include in SAML 1.x Assertions (Optional)

You can include attributes in assertions. Servlets or applications can use attributes to display customized content for a user. User attributes, DN attributes, or static data can all be passed from the producer to the consumer in an assertion. When used with web applications, attributes can limit the activities of a user at the consumer. For example, the producer sends an attribute named Authorized Amount. The consumer sets this attribute to a maximum dollar amount that the user can spend.

Attributes take the form of name/value pairs and include information, such as a mailing address, business title, or an approved spending limit for transactions. When the consumer receives the assertion, it extracts the attributes. The consumer makes the attributes available to applications as HTTP header variables or HTTP cookie variables.

To pass the attributes, configure a response. The responses available for this purpose are:

• Affiliate-HTTP-Header-Variable
• Affiliate-HTTP-Cookie-Variable

The HTTP headers and HTTP cookies have size restrictions that assertion attributes cannot exceed. The size restrictions are as follows:

• For HTTP headers, CA SiteMinder® can send an attribute in a header up to the web server size limit for a header. Only one assertion attribute per header is allowed. See the documentation for your web server to determine the header size limit.
• For HTTP cookies, CA SiteMinder® can send a cookie up to the size limit for a cookie. Each assertion attribute is sent as its own cookie. The cookie size limit is browser-specific, and that limit is for all attributes being passed to the application, not for each attribute. See the documentation for your web browser to determine the cookie size limit.

More Information:

Configure Attributes for SAML 1.x Assertions

Use a Script to Create A New Response Attribute

Configure Attributes for SAML 1.x Assertions

You can configure responses to pass attributes from a SAML assertion to a target application at the consumer site.

To configure an attribute for an assertion

1. Navigate to the Assertions settings.
2. Click Add in the Attributes section.

   The Add Attribute dialog opens.

3. From the Attribute Type drop down, select whether you want to configure a header or cookie variable.
4. From the Attribute Setup section, select one of the following options in the Attribute Kind section:
   • Static
   • User Attribute
   • DN Attribute

   Note: Click Help for a description of fields, controls, and their respective requirements.

   Your selection determines the available fields in the Attribute Fields section.

5. Complete the fields for the Attribute Kind you select. The Attribute Kind that you select determines which additional fields you must configure.

   Static

   Fill in the following fields:

   • Variable Name

     Enter the name for the attribute CA SiteMinder® returns to the affiliate.

   • Variable Value

     Enter the static text as the value for the name/value pair.

     For example, to return the name/value pair show_content=yes, enter show_content as the variable name and yes as the variable value.

   User Attribute

   Fill in the following fields:

   • Variable Name

     Enter the name for the attribute CA SiteMinder® returns to the consumer.

   • Attribute Name

     Enter the attribute in the user directory for the name/value pair.

     For example, to return the email address of a user to the consumer, enter email_address as the Variable Name, and email as the Attribute Name.

   DN Attribute

   Fill in the following fields:

   • Variable Name

     Enter the name for the attribute CA SiteMinder® returns to the consumer.

   • DN Spec

     Enter the distinguished name of the user group from which CA SiteMinder® retrieves the user attribute. The DN value is returned to the consumer. If you do not know the DN, click Lookup. Use the CA SiteMinder® User Lookup dialog to locate the user group and select a DN.

   • Attribute Name

     Enter the attribute in the user directory for this attribute for the name/value pair.

   Note: If you selected Affiliate-HTTP-Cookie-Variable from the Attribute menu, the Variable Name field label changes to Cookie Name.

6. (Optional) To retrieve DN attributes from the nested groups, select the Allow Nested Groups check box in the Attribute Kind section.
7. Click OK to save your changes.

Specify the Maximum Length of Assertion Attributes

The maximum length for user assertion attributes is configurable. To modify the maximum length of assertion attributes, change the settings in the EntitlementGenerator.properties file.

Note: The property name in the file is specific to the protocol you are configuring.

Follow these steps:

1. On the system where the Policy Server is installed, navigate to policy_server_home\config\properties\EntitlementGenerator.properties.
2. Open the file in a text editor.
3. Adjust the maximum user attribute length for the protocols in use in your environment. The settings for each protocol are as follows:

   WS-Federation

   Property Name: com.netegrity.assertiongenerator.wsfed.MaxUserAttributeLength

   Property Type: Positive Integer value

   Default Value: 1024

   Description: Indicates the maximum attribute length for WS-FED assertion attributes.

   SAML 1.x

   Property Name: com.netegrity.assertiongenerator.saml1.MaxUserAttributeLength

   Property Type: Positive Integer value

   Default Value: 1024

   Description: Indicates the maximum attribute length for SAML1.1 assertion attributes.

   SAML 2.0

   Property Name: com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength

   Property Type: Positive Integer value

   Default Value: 1024

   Description: Indicates the maximum attribute length for SAML2.0 assertion attributes

4. Restart the Policy Server after any change to these parameters.

Use a Script to Create A New Response Attribute

The Advanced section of the Add Attribute page contains the Script field. This field displays the script that CA SiteMinder® generates based on your entries in the Attribute Setup section. You can copy the contents of this field and paste them into the Script field for another response attribute.

Note: If you copy the contents of the Script field to another attribute, select the appropriate option button in the Attribute Kind group.