Federation Security Services Guide › Identify Service Providers for a SAML 2.0 Identity Provider › Configure Attributes for Inclusion in Assertions (optional) › Configure Attributes for SSO Assertions

Configure Attributes for SSO Assertions

To configure an attribute

1. In the Service Provider Properties dialog box, click on the Attributes tab.
2. Click Create.

   The SAML Service Provider Attribute dialog box opens.

3. From the Attribute drop down list, select the name format identifier, as specified by the <NameFormat> attribute within the <Attribute> element of an assertion attribute statement. This value classifies the attribute name so that the Service Provider can interpret the name.

   The options are:

   • unspecified

     Determines how the name interpretation is left to your implementation

   • basic

     Indicates that the name format must use acceptable values from the set of values belonging to the primitive type xs:Name.

   • URI

     Indicates that the name format must follow the standards for a URI reference. How the URI is interpreted is specific to the application using the attribute value.

4. From the Attribute Setup tab, select one of the following radio buttons in the Attribute Kind group box. Your selection of the Attribute Kind radio button determines the available fields in the Attribute Fields group box.
   • Static

     Returns data that remains constant.

     Use a static attribute to return a string as part of a SiteMinder response. This type of response can be used to provide information to a Web application. For example, if a group of users has specific customized content on a Web site, the static response attribute, show_button = yes, could be passed to the application.

   • User Attribute

     Returns profile information from a user's entry in a user directory.

     This type of response attribute returns information associated with a user in a directory. A user attribute can be retrieved from an LDAP, WinNT, or ODBC user directory.

     Note: For the Policy Server to return user directory attributes as response attributes, the user directories must be configured FSS Administrative UI.

   • DN Attribute

     Returns profile information from a directory object in an LDAP or ODBC user directory.

     This type of attribute is used to return information associated with directory objects to which the user is related. Groups to which a user belongs, and Organizational Units (OUs) that are part of a user DN, are examples of directory objects whose attributes can be treated as DN attributes.

     For example, you can use a DN attribute to return a company division for a user, based on the user's membership in a division.

     Note: For the Identity Provider to return an attribute containing DN attributes values, the user directories must be configured in the Policy Server User Interface.

     If you select the DN Attribute radio button, you may also select the Allow Nested Groups check box. Selecting this check box allows SiteMinder to return an attribute from a group that is nested in another group specified by a policy. Nested groups often occur in complex LDAP deployments.

5. Optionally, if the attribute is retrieved from an LDAP user directory that contains nested groups (groups that contain other groups), and you want the Policy Server to retrieve DN attributes from the nested groups, select the Allow Nested Groups check box in the Attribute Kind group box.
6. Optionally, if you want the attribute values encrypted, select the Encrypted checkbox.
7. For the Retrieval Method, accept the default value SSO to ensure this attribute is used for single sign-on assertions and not for attribute assertions.
8. Click OK to save the changes.