Previous Topic: Configure the Authentication Scheme that Protects the Artifact ServiceNext Topic: Customize a SAML Assertion Response (optional)


Configure Attributes to Include in SAML 1.x Assertions (Optional)

You can include attributes in assertions. Servlets or applications can use attributes to display customized content for a user. User attributes, DN attributes, or static data can all be passed from the producer to the consumer in an assertion. When used with web applications, attributes can limit the activities of a user at the consumer. For example, the producer sends an attribute named Authorized Amount. The consumer sets this attribute to a maximum dollar amount that the user can spend.

Attributes take the form of name/value pairs and include information, such as a mailing address, business title, or an approved spending limit for transactions. When the consumer receives the assertion, it extracts the attributes. The consumer makes the attributes available to applications as HTTP header variables or HTTP cookie variables.

To pass the attributes, configure a response. The responses available for this purpose are:

The HTTP headers and HTTP cookies have size restrictions that assertion attributes cannot exceed. The size restrictions are as follows:

More Information:

Configure Attributes for SAML 1.x Assertions

Use a Script to Create A New Response Attribute

Configure Attributes for SAML 1.x Assertions

You can configure responses to pass attributes from a SAML assertion to a target application at the consumer site.

To configure an attribute for an assertion

  1. Navigate to the Assertions settings.
  2. Click Add in the Attributes section.

    The Add Attribute dialog opens.

  3. From the Attribute Type drop down, select whether you want to configure a header or cookie variable.
  4. From the Attribute Setup section, select one of the following options in the Attribute Kind section:

    Note: Click Help for a description of fields, controls, and their respective requirements.

    Your selection determines the available fields in the Attribute Fields section.

  5. Complete the fields for the Attribute Kind you select. The Attribute Kind that you select determines which additional fields you must configure.

    Static

    Fill in the following fields:

    User Attribute

    Fill in the following fields:

    DN Attribute

    Fill in the following fields:

    Note: If you selected Affiliate-HTTP-Cookie-Variable from the Attribute menu, the Variable Name field label changes to Cookie Name.

  6. (Optional) To retrieve DN attributes from the nested groups, select the Allow Nested Groups check box in the Attribute Kind section.
  7. Click OK to save your changes.
Specify the Maximum Length of Assertion Attributes

The maximum length for user assertion attributes is configurable. To modify the maximum length of assertion attributes, change the settings in the EntitlementGenerator.properties file.

Note: The property name in the file is specific to the protocol you are configuring.

Follow these steps:

  1. On the system where the Policy Server is installed, navigate to policy_server_home\config\properties\EntitlementGenerator.properties.
  2. Open the file in a text editor.
  3. Adjust the maximum user attribute length for the protocols in use in your environment. The settings for each protocol are as follows:

    WS-Federation

    Property Name: com.netegrity.assertiongenerator.wsfed.MaxUserAttributeLength

    Property Type: Positive Integer value

    Default Value: 1024

    Description: Indicates the maximum attribute length for WS-FED assertion attributes.

    SAML 1.x

    Property Name: com.netegrity.assertiongenerator.saml1.MaxUserAttributeLength

    Property Type: Positive Integer value

    Default Value: 1024

    Description: Indicates the maximum attribute length for SAML1.1 assertion attributes.

    SAML 2.0

    Property Name: com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength

    Property Type: Positive Integer value

    Default Value: 1024

    Description: Indicates the maximum attribute length for SAML2.0 assertion attributes

  4. Restart the Policy Server after any change to these parameters.
Use a Script to Create A New Response Attribute

The Advanced section of the Add Attribute page contains the Script field. This field displays the script that CA SiteMinder® generates based on your entries in the Attribute Setup section. You can copy the contents of this field and paste them into the Script field for another response attribute.

Note: If you copy the contents of the Script field to another attribute, select the appropriate option button in the Attribute Kind group.