How to Configure Claims Transformation at the Asserting Party

Federation Guides › Partnership Federation Guide › Assertion Configuration at the Asserting Party › How to Configure Claims Transformation at the Asserting Party

How to Configure Claims Transformation at the Asserting Party

Claims transformation manipulates claims during a federated single sign-on transaction. Claims, also known as attributes, help customize the attributes and improve the user experience at a partner.

Modifying assertion attributes lets the relying party adapt user information so a target application can use it. For example, claims transformation can associate roles at different partners in different domains. In one domain, a user is an engineering manager and belongs to a group named EngineerAdmins. However, the relying party identifies the same role as DevelAdmins. The asserting party alters the role attribute before issuing the assertion. The user is now identified with the DevelAdmins role, which the relying party application can understand.

Claims transformation occurs at the local asserting party during the assertion generation process. You configure the feature on a per-partnership basis. An assertion can be modified whether a local or remote party generates the assertion. Claims are transformed based on an expression that you configure for the partnership. The expression relies on user information from the user store and the CA SiteMinder® session store.

The software can perform three different modifications to assertion attributes:

Transformation: Changing the value of an assertion attribute to a different value.
Addition: Adding an assertion attribute if it does not exist already.
Deletion: Deleting an assertion attribute on a conditional basis.

The following figure shows the configuration steps:

Flow of claims transformatio tasks

To set up claims transformation, perform the following steps:

Prerequisites for Claims Transformation

Before you configure claims transformation, consider the following prerequisites:

Be familiar with the user store and session store attributes available.
Determine which attributes the relying party expects to receive in an assertion.
Be familiar with Java Unified Expression Language (JUEL), an open source version of the Unified Expression Language.

Learn the Attribute Expression Guidelines

Expressions are rules that instruct the software how to manipulate assertion attributes. The expression directs the software to modify, add, or delete assertion attributes. You construct expressions using the Java Unified Expression Language (JUEL). A JUEL expression evaluator examines the configured expressions and generates the resulting assertion attributes.

Define expressions in the Assertion Attributes table of the Administrative UI. Access this table by navigating to the Assertion Configuration step of the partnership wizard. This table is shown in the following figure:

assertion attribute configuration in the UI

Enter expressions in the Value column of the assertion attributes table. All attributes in an expression are user store or session store attributes.

Typically, the expression operates on a conditional basis. If the condition is met, the designated claims modification occurs. For example, an incoming assertion contains the "role" attribute. The expression to modify the "role" assertion attribute is:

#{attr["title"] == 'manager' ? 'administrator' : attr["title"]}

The first part of the expression #{attr["title"] == 'manager' tells the software to determine whether the logged-in user has the title "manager." The lookup is done in the user directory. If this condition is met, the second part of the expression, ? 'administrator' : assigns the value "administrator" to the role assertion attribute. If the condition is not met, the last part of the expression, attr["title"]} indicates that the value of the user attribute "title" remains "manager." The value "manager" is assigned to the assertion attribute "role."

Note: You can use static values in an expression in place of the syntax attr["title"], such as 'administrator' in the previous example.

The example assumes the "role" attribute is already in the assertion. Therefore, the expression is a transformation of an existing attribute. If "role" is not part of the assertion, the software adds the role attribute to the assertion.

Expression Syntax

Construct expressions using the proper syntax:

Represent a user store attribute with the string attr["attribute_name"].
Represent a session store attribute with the string session_attr["attribute_name"].
Delete a claim using the argument ‘DELETE’.

Use lower-case text for the attr and session_attr prefixes. Attribute names are not case-sensitive.

Additionally, be aware of these conditional JUEL operators:

Operator	Meaning
conditional value ? value1 : value2	The conditional value resolves to either value1 or value 2.
!=	Does not equal
==	Equals

Important! The attribute in the expression must be available in the user directory or the session store. If an attribute is incorrect, the system simply includes blanks for corresponding attributes. The assertion generation does not fail.

For more examples of expressions, read the section Configure claims Transformation at the Asserting Party.

Configure Claims Transformation at the Asserting Party

Define expressions at the partnership level. The result of these expressions modifies, adds, or deletes attributes from assertions. After the rules are defined, the assertion is modified and sent to the relying party. If you do not configure claims transformation, assertion attributes are passed "as is" to the relying party.

Follow these steps:

Log in to the Administrative UI.
Select Federation, Partnerships.
Select a partnership that you want to modify. Eligible partnerships include:
- Local Producer to Remote Consumer
- Local IdP to Remote SP
- Local IP to Remote RP
Navigate to the Assertion Configuration step in the partnership wizard.
In the Assertion Attributes section, click Add Row.
Pay particular attention to the following fields in the row. Click Help for detailed descriptions of each field.
Assertion Attribute

Enter an assertion attribute. All values in this column are assertion attributes. An attribute that is already in the assertion remains in the assertion, but it is set to a new value based on the configured expression. The attribute is removed from the assertion only if you configure a DELETE expression.

Retrieval Method

Keep the default, SSO.

Format

Designates the format for the attribute being added to the assertion. The format options vary depending on the SAML profile for the entity.

Type

Expression

Always use this value for claims transformation.

Value
Enter an expression that reflects how you want the assertion attribute is modified.

Review the guidelines about constructing claims expressions and the following examples:
(Optional for SAML 2.0 and WSFED with token type SAML 2.0). To encrypt assertion attributes, select Encrypt. The asserting party encrypts the assertions using the certificate that is specified in the partnership configuration.
The relying party decrypts the assertion attributes using the private key that is associated with the certificate.
Add as many rows as you like for the assertion attributes you want to configure.

Claims transformation is implemented based on the configured entries in the partnership.

Transform a Claim in an Assertion

Transforming a claim changes an assertion attribute value to another value.

Note: These examples only show entries for Assertion Attribute, Type, and Value.

Transformation Example 1

The following example assumes the "title" attribute is already in the assertion. The table indicates the user attributes in the user store.

User Directory Attributes	Attribute Value
role	admin
admintitle	SeniorAdmin
supertitle	SuperUser

Transform the value of the existing title attribute using the following configuration:

Assertion Attribute: title
Type: Expression
Value: #{attr[“role”] == ‘admin’ ? attr[“admintitle”] : attr[“supertitle”]}

Result: The expression is conditional based on the "role" user attribute being set to "admin." Assuming this condition is met, the assertion attribute "title" is set to the value SeniorAdmin, the "admintitle" attribute. If the role is something other than "admin," the "title" attribute becomes SuperUser, the value of the "supertitle" attribute.

Transformation Example 2

The following example assumes that the ContactNo attribute is already in the assertion.

User Directory Attributes	Attribute Value
homephone	555-3344
mobile	555-8888

Transform the value of the existing title attribute using the following configuration:

Assertion Attribute: ContactNo
Type: Expression
Value: #{attr["homephone"] == '555-3344' ? attr["mobile"] : attr["homephone"]}

Result: The expression is conditional on the logged-in user having the "homephone" user attribute set to 555-3344. Assuming this condition is met, the assertion attribute is set to 555-8888, the value of the "mobile" attribute. If the condition is not met, the "homephone" value does not change.

Note: To configure an expression that uses session attributes, replace attr["attribute_name"] with session_attr[“attribute_name”]. For example:

#{session_attr[“att1”] == ‘admin’ ? session_attr[“attr2”] : attr[“attr3”]}

Add a Claim to an Assertion

You can add an assertion attribute that is not already present.

Addition Example 1

The following example assumes the "title" assertion attribute is not in the assertion.

User Directory Attribute	Attribute Value
role	admin
admintitle	director
supertitle	executive

The following configuration adds the title attribute to the assertion.

Assertion Attribute: title
Type: Expression
Value: #{attr[“role”] == ‘admin’ ? attr[“admintitle”] : attr[“supertitle”]}

Result: The expression is conditional on the logged-in user having the "role" attribute set to admin. Assuming this condition is met, the assertion attribute "title" is added to the assertion and set to the value "director," the "admintitle" attribute value. If the role is something other than "admin," the assertion attribute "title" is added but the value becomes "executive," the value of the "supertitle" attribute.

Addition Example 2

The following example assumes the "smtitle" assertion attribute is not in the assertion.

User Directory Attribute	Attribute Value
title	manager


Assertion Attribute: smtitle
Type: Expression
Value: #{attr["title"] == 'manager' ? 'federation administrator' : attr["title"]}

Result: If the logged-in user has the title of "manager," add "smtitle" to the assertion and set its value to "federation administrator." You can enter any static value after the question mark instead of using the syntax attr["attribute_name"]. In this example, the static value is federation administrator,

Note: To configure an expression that uses session attributes, replace attr["attribute_name"] with session_attr[“attribute_name”]. For example:

#{session_attr[“att1”] == ‘admin’ ? session_attr[“attr2”] : attr[“attr3”]}

Delete a Claim from an Assertion

You can delete an assertion attribute.

Deletion Example 1

Delete the admintitle and supertitle assertion attributes by configuring two entries.

User Directory Attribute	Attribute Value
role	admin or superuser
title	administrator
su	superuser


Assertion Attribute: admintitle
Type: Expression
Value: #{attr[“role”] == ‘superuser’ ? ‘DELETE’ : attr[“title”]}

Result: The expression string is conditional based on the "role" user attribute. If the logged-in user has the role of superuser, delete the assertion attribute "admintitle." If the role is not superuser, set the title assertion attribute to the value of administrator, the value of the title user directory attribute.

Assertion Attribute: supertitle
Type: Expression
Value: #{attr[“role”] == ‘admin’ ? ‘DELETE’ : attr[“su”]}

Result: The expression string is conditional on the "role" user attribute. If the logged-in user role is "admin," delete the assertion attribute "supertitle." If the role is not "admin," set the supertitle assertion attribute to the value of superuser, the value of the su user directory attribute.

Deletion Example 2

The following example combines an addition and a deletion using one expression.

User Directory Attribute	Attribute Value
title	manager

Assertion attribute: ManagerName
Type: Expression
Value: #{attr["title"] != 'Manager' ? attr["manager"] : 'DELETE'}

Result: If the logged-in user does not have the user attribute title "manager," add the ManagerName attribute to the assertion. However, if the logged-in user title is manager, delete the ManagerName attribute, assuming it is part of the assertion.

Note: To configure an expression that uses session attributes, replace attr["attribute_name"] with session_attr[“attribute_name”]. For example:

#{session_attr[“att1”] == ‘admin’ ? session_attr[“attr2”] : attr[“attr3”]}