Federation Security Services GuideIdentify Service Providers for a SAML 2.0 Identity Provider › Configure Attributes for Inclusion in Assertions (optional)

Previous Topic: Query Parameter Processing by a SiteMinder IdP

Next Topic: Attributes that Function for SSO and Attribute Query Requests

Configure Attributes for Inclusion in Assertions (optional)

Attributes can provide information about a user requesting access to a Service Provider resource. An attribute statement passes user attributes, DN attributes, or static data from the Identity Provider to the Service Provider in a SAML assertion. Any configured attributes are included in the assertion in one <AttributeStatement> element or the <EncryptedAttribute> element in the assertion.

Note: Attributes statements are not required in an assertion.

Attributes are used by servlets, Web applications, or other custom applications to display customized content or enable other custom features. When used with Web applications, attributes can implement fine-grained access control by limiting what a user can do at the Service Provider. For example, you can send an attribute variable named Authorized Amount and set it to a maximum dollar amount that the user can spend at the Service Provider.

Attributes take the form of name/value pairs. When the Service Provider receives the assertion, it takes the attribute values and makes them available to applications.

Attributes can be made available as HTTP Headers or HTTP Cookies.

The HTTP headers and HTTP cookies have size restrictions that assertion attributes cannot exceed. The size restrictions are as follows:

You configure attributes in the Attributes tab of the Service Provider Properties dialog. Configuration involves choosing an Attribute Kind then filling in values for the variable name and attribute value.

Copyright © 2010 CA. All rights reserved. Email CA about this topic