Federation Guides › Partnership Federation Guide › Assertion Configuration at the Asserting Party › How To Add Session Attributes to an Assertion

How To Add Session Attributes to an Assertion

The Policy Server uses the session store to persist dynamic user information after a user is authenticated. The stored information includes authentication context information, SAML attributes, third-party IdPs that authenticate users, and claims from an OAuth authentication. The Policy Server can use this information for generating user tokens or making policy decisions.

For federated single sign-on, the Policy Server can add the attributes from the session store to an assertion to customize the requested application.

Session attributes are stored for the following deployments:

• Non-delegated authentication deployments.

  A local system or an external third party authenticates users, but the system regards it as a local authentication. Local authentication deployments require that the authentication mode is local in the single sign-on configuration. Also, an access policy must protect the authentication URL. The authentication scheme in the policy is configured to persist session attributes.

• Delegated authentication deployments

  An external third party can authenticate a user. The third-party partner returns user information, which gets stored in the session store.

The following figure shows the steps that are required to configure session attributes and add then to assertions.

Complete the following steps for session attribute support:

1. Determine which session attributes are available.
2. Add session attributes to the assertion configuration.
3. Confirm the authentication mode and URL for SSO.
4. Configure an authentication scheme to persist session attributes.
5. Create a policy to protect the authentication URL.

Determine which Session Attributes are Available

As the federation administrator, identify the session attributes used by the partnership. Work with the authentication source, such as a database or user directory so you are familiar with the available attributes.

Add Session Attributes to the Assertion Configuration

Add session attributes to the assertion configuration. The configuration is at the asserting party, such as the IdP-to-SP partnership.

Follow these steps:

1. Log in to the Administrative UI.
2. Navigate to the Assertion Configuration step of the partnership wizard.
3. In the Assertion Attributes section, click Add Row.
4. To configure a session attribute, complete the settings in the table. For example:

   Assertion Attribute

   IssuerID

   Retrieval Method

   SSO

   Format

   Unspecified

   Type

   Session Attribute

   Value

   IssuerID

   Click Help for detailed information about the attribute table.

5. Add rows for as many entries as needed.
6. (Optional). Select Encrypt to encrypt the attribute.
7. Click Next to move to the SSO and SLO step.

Session Attribute Examples in the Administrative UI

The last two entries of the following graphic show examples of session attribute entries. This screen is for a SAML 2.0 partnership. The SAML 1.1 screen is similar, but the Retrieval Method and Format columns are missing. A Namespace column exists instead.

Confirm the Authentication Mode and URL for SSO

Confirm that the partnership has the authentication mode and authentication URL set correctly.

Note: This procedure assumes that the other necessary SSO settings are configured.

Follow these steps:

1. Navigate to the SSO and SLO step of the partnership wizard.
2. In the Authentication section, verify the settings of the following fields:

   Authentication Mode

   Local

   Authentication URL

   This URL must point to the redirect.jsp file, for example:

   http://myserver.idpA.com/siteminderagent/redirectjsp/redirect.jsp

   myserver

   Identifies the web server with the Web Agent Option Pack or the SPS federation gateway. The redirect.jsp file is included with the Web Agent Option Pack or SPS federation gateway that is installed at the asserting party.

   Protect this resource with a policy.

3. Navigate to the Confirm step and click Finish.

Configure an Authentication Scheme to Persist Session Attributes

Configure the authentication scheme that protects the authentication URL. Enable the scheme to persist session attributes. This procedure is required for the system to store session attributes.

Follow these steps:

1. Click Infrastructure, Authentication, Authentication Schemes.
2. Click Create Authentication Scheme.
3. Verify that the Create a new object of type Authentication Scheme is selected. Click OK.

   The Create Authentication Scheme page appears.

4. Select an authentication scheme template that can persist session attributes, one which requires more information than only a user name and password.

   For example, an X.509 certificate authentication scheme requires a SubjectDN and IssuerID for the certificate. An OAuth authentication scheme requires information such as first and last name. This information can be persisted in the session store and added to an assertion.

   The authentication scheme templates that you can use are:

   • OpenID
   • OAuth
   • Any X.509 authentication template
   • Custom scheme
5. Complete the scheme-specific fields and controls.

   Note: Click Help for a description of fields, controls, and their respective requirements.

6. Select Persist Authentication Session Variables in the Scheme Setup section of the dialog.
7. Click Submit to save the scheme.

Create a Policy to Protect the Authentication URL

Use the authentication scheme that persists session attributes in a policy that protects the authentication URL. When the user requests the protected resource, the policy triggers the necessary actions to authenticate the user. The system stores the credentials that the user provides as session variables.

Begin by creating a policy domain for the asserting party and assigning users. You can also modify an existing asserting party domain.

Follow these steps:

1. Click Policies, Domain, Domains.

   The Domains page appears.

2. Select the domain for the appropriate asserting party and modify it.
3. Confirm that the user directory is part of the domain. If not, add the user directory by clicking Add/Remove.

   You can select one or more user directories from the Available Members list. To select more than one member at one time, hold down the Ctrl key while you click the additional members. To select a block of members, click the first member then hold down the Shift key while you click the last member in the block.

   Note: To create a user directory and add it to the domain, click Create.

4. Click Submit.

The domain is configured.

Create a Realm and a Rule for the Authentication URL Policy

For the federation domain, create a realm and associate it with a Web Agent.

Follow these steps:

1. Click Policies, Domain, Realms.

   The Realms page appears.

2. Click Create Realm.
3. Select the domain that you want to modify, and click Next.
4. Type the name and a description of the realm.

   Specify a name that indicates the realm is for an SSO authentication URL.

5. Select an Agent by clicking Lookup Agent/Agent Group.
6. Select the appropriate Web Agent and click OK.
7. Specify the Resource Filter for the redirect.jsp. For example:

   /siteminder/redirectjsp/redirect.jsp

8. Complete the remaining fields:

   Default Resource Protection

   Protected

   Authentication Scheme

   Select the authentication scheme that you configured to protect the authentication URL. This scheme is the one you configured to persist session attributes.

9. Create a rule in the Rules section.
   1. Specify a name for the rule.
   2. Accept the defaults for the remaining settings.
10. Skip the other configuration options.
11. Click Finish.

The realm and rule configuration is complete.

Complete the Authentication URL Policy

Create a policy that protects the authentication URL. The policy components work together and protect the resource.

After you create the policy, add users and rules.

Follow these steps:

1. Click Policies, Domain, Domains.
2. Search for the domain.

   A list of domains that match the search criteria appears.

3. Select the domain for the asserting party.
4. Click Modify.
5. Click the Policies tab.

   The Policies page appears.

6. Click Create.
7. Enter a name and a description for the policy.
8. Add individual users, user groups, or both from the Users tab. The users are members of the user directory that is associated with the domain.

   From within each user directory group box, choose Add Members, Add Entry, or Add All. Depending on which method you use, a dialog box opens enabling you to add users.

   Note: If you select Add Members, the User/Groups pane opens. The individual users are not displayed automatically. To find a specific user within one of the directories, use the search utility.

   You can edit or delete a user or group by clicking the right arrow (>) or minus sign (-), respectively.

9. Add a rule from the Rules tab.
10. Select the rule that you created for the authentication URL and click OK.

    You are not required to configure a response for the rule.

11. Click Submit to complete the configuration.

The policy configuration is complete.

The assertion attribute, single sign-on, and policy configuration work together to make session attribute available for assertions.