|
|
|
SiteMinder supports authorization that uses the values of predetermined user attributes from a remote site as the basis for the authorization decision. The request contains no session information, because the user is not necessarily authenticated on the remote site.
For example, imagine a customer logs on to a car rental agency site to inquire about rates. The customer is authenticated by the agency, but to provide a competitive rate, the agency uses information from the customer's preferred airline. The car rental agency puts in a request to the airline's Web site to obtain the customer's quality code, which is based on the customer's accrued frequent flier miles. The airline returns the value of the quality code, for instance, 1A, and the car agency displays a customized rate sheet.
In this example, the car rental agency acts as what is know as the the SAML Requester, and the airline acts as what is known as a SAML Attribute Authority. Note that the customer is not authenticated by the Attribute Authority.
The Policy Server implements this kind of authorization decision by using variables within policy expressions. In the policy expressions, Federation Attribute Variables associate an attribute with a remote Attribute Authority. When the policy server attempts to resolve the Federation attribute variable, it determines the Attribute Authority from which to request the value of the attribute.
In the Policy Management API, the Sm_PolicyApi_SAMLRequesterAttr_t structure defines an attribute that can be requested by the SAML Requester. It specifies the actual name of the attribute known by the Attribute Authority, as well as a local name used in Federation attribute variables. The local name maps to a variable defined in the SAML 2.0 authentication scheme.
Note: For more information about using SAML 2.0 Attribute Authorities, see the Federation Security Services Guide
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |