Previous Topic: Configure Signout for WS-FederationNext Topic: Configure CA SiteMinder® as a WS-Federation Resource Partner


Configure Attributes for WS-Federation Assertions (optional)

Attributes can provide information about a user requesting access to a Resource Partner resource. An attribute statement passes user attributes, DN attributes, or static data from the Account Partner to the Resource Partner in a SAML assertion. Any configured attributes are included in the assertion in one <AttributeStatement> element or the <EncryptedAttribute> element in the assertion.

Note: Attribute statements are not required in an assertion.

Servlets, web applications, or other custom applications use attributes to display customized content or enable other custom features. When used with web applications, attributes can implement fine-grained access control by limiting user activity at the Resource Partner. For example, you can send an attribute variable named Authorized Amount set to a maximum dollar amount. The amount is the limit that the user can spend at the Resource Partner.

Attributes take the form of name/value pairs. When the Resource Partner receives the assertion, it makes the attribute values available to applications.

Attributes can be made available as HTTP Headers or HTTP Cookies.

The HTTP headers and HTTP cookies have size restrictions that assertion attributes cannot exceed. The size restrictions are as follows:

Configure Assertion Attributes for WS-Federation

To configure assertion attributes

  1. Navigate to the Attributes page for the Resource Partner object you are configuring.
  2. Click Add in the Attributes section.

    The Add Attributes dialog appears.

  3. From the Attribute drop-down, select the name format identifier. The <NameFormat> attribute in the <Attribute> element of an assertion specifies the identifier. This value classifies the attribute name so that the Resource Partner can interpret the name.

    The options are:

    For more information about these options, see the WS-Federation specification.

  4. In the Attribute Setup section, select one of the following options:

    The selection of the following option determines the available fields in the Attribute Fields section.

    Note: Click Help for a description of fields, controls, and their respective requirements.

  5. Optional. The attribute can be retrieved from an LDAP user directory with nested groups. For the Policy Server to retrieve DN attributes from the nested groups, select the Allow Nested Groups check box in the Attribute Kind section.
  6. Complete the necessary fields for you Attribute Kind and save the changes.
Specify the Maximum Length of Assertion Attributes

The maximum length for user assertion attributes is configurable. To modify the maximum length of assertion attributes, change the settings in the EntitlementGenerator.properties file.

Note: The property name in the file is specific to the protocol you are configuring.

Follow these steps:

  1. On the system where the Policy Server is installed, navigate to policy_server_home\config\properties\EntitlementGenerator.properties.
  2. Open the file in a text editor.
  3. Adjust the maximum user attribute length for the protocols in use in your environment. The settings for each protocol are as follows:

    WS-Federation

    Property Name: com.netegrity.assertiongenerator.wsfed.MaxUserAttributeLength

    Property Type: Positive Integer value

    Default Value: 1024

    Description: Indicates the maximum attribute length for WS-FED assertion attributes.

    SAML 1.x

    Property Name: com.netegrity.assertiongenerator.saml1.MaxUserAttributeLength

    Property Type: Positive Integer value

    Default Value: 1024

    Description: Indicates the maximum attribute length for SAML1.1 assertion attributes.

    SAML 2.0

    Property Name: com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength

    Property Type: Positive Integer value

    Default Value: 1024

    Description: Indicates the maximum attribute length for SAML2.0 assertion attributes

  4. Restart the Policy Server after any change to these parameters.
Use a Script to Create a New Attribute

The Advanced section of the Attribute dialog contains the Script field. This field displays the script that CA SiteMinder® generates based on your entries in the Attribute Setup section. You can copy the contents of this field and paste them into the Script field for another response attribute.

Note: If you copy and paste the contents of the Script field for another attribute, select the appropriate option in the Attribute Kind section.