Federation Guides › Partnership Federation Guide › Single Sign-on Configuration › How to Enable SAML 2.0 Attribute Query Support

How to Enable SAML 2.0 Attribute Query Support

A CA SiteMinder® IdP supports the SAML 2.0 Assertion Query/Request profile and can respond to attribute queries. The IdP also extends the profile functionality by accepting queries for attributes not in the assertion or in the metadata. When the IdP receives an attribute query, the IdP first checks its user directory to find the attributes. If the attributes are not found, the Policy Server checks the session store. The session store can hold attributes from external Identity Providers, attributes collected from advanced authentication schemes, and other sources.

Note: Only the CA SiteMinder® IdP supports the query profile. A CA SiteMinder® SP as an attribute requester is only supported for the proxied attribute query feature.

The IdP has all the user attributes that an SP can request in its metadata. An SP can obtain these attributes in two ways:

• Extract the set of attributes that are sent in an assertion.

  The Identity Provider assertion configuration determines the set of attributes included. Defining a subset of all the attributes limits the number of attributes to the most essential, which reduces processing overhead.

• Import the IdP metadata.

In addition to the attributes in the metadata, an SP can require attributes that are not in the assertion or in the metadata. To retrieve other attributes, the SP sends an attribute query to the IdP.

The query request profile employs two entities:

• SAML Attribute Authority
• SAML Attribute Requester

A CA SiteMinder® IdP can only act as an Attribute Authority. A CA SiteMinder® SP cannot be the Attribute Requester.

The following graphic shows the configuration steps for an Attribute Authority.

Complete the the following steps:

• Configure or modify an IdP-to-SP partnership.
• At the Identity Provider, configure a SAML 2.0 Attribute Authority.

If CA SiteMinder® is at both sides of the partnership, you cannot use the Assertion Query/Response profile.

Configure the Partnership for Attribute Query Support

For the IdP to respond to attribute queries, an IdP-to-SP partnership must exist. You can create a partnership or modify an existing partnership.

The steps for creating a partnership include:

1. Create the SAML 2.0 IdP and SP entities.
2. Configure a connection to a user directory for the partnership.
3. Create a SAML 2.0 IdP-to-SP partnership.
4. Configure a SAML 2.0 Attribute Authority.

These steps are detailed throughout this guide.

Configure the SAML 2.0 Attribute Authority

You can configure an IdP to serve as an Attribute Authority.

Follow these steps:

1. Log in to the Administrative UI.
2. Select Federation, Partnership Federation, Partnerships.
3. Select the IdP-to-SP partnership that you want to modify or create a new one.
4. Navigate to the SSO and SLO step of the partnership wizard.
5. Select Enable in the Attribute Service section of the dialog.
6. Enter a number of seconds for the Validity Duration.

   Note: Click Help for a description of fields, controls, and their respective requirements.

7. (Optional) Specify whether to require that the attribute query is signed, and the signing requirements for attribute assertions and responses.
8. Enter the search specifications for the appropriate user directory name space in the User Lookup section. The Attribute Authority uses this search specification to disambiguate the user.

   An example for an LDAP user directory is uid=%s. At least one search specification is required.

9. (Optional) Specify Partnership as the Protection Type in the Back Channel section. Select an authentication method. For more information about the back channel, click Help.
10. Save and activate the partnership.

The Identity Provider is now set up to serve as an Attribute Authority. This authority can now respond to attribute queries from a third-party SP.