Federation Security Services Guide › Identify WS-Federation Resource Partners at the Account Partner › Configure Attributes for WS-Federation Assertions (optional) › Configure Assertion Attributes for WS-Federation

Configure Assertion Attributes for WS-Federation

To configure assertion attributes

1. Log on to the FSS Administrative UI.
2. In the Resource Partner Properties dialog, click on the Attributes tab.
3. Click Create.

   The Resource Partner Attribute dialog box opens.

4. From the Attribute drop down list, select the name format identifier, which is specified by the <NameFormat> attribute in the <Attribute> element of an assertion attribute statement. This value classifies the attribute name so that the Resource Partner can interpret the name.

   The options are:

   • EmailAddress
   • UPN
   • CommonName
   • Group
   • NameValue

   For more information on these options, refer to the WS-Federation specification.

5. On the Attribute Setup tab, select one of the following radio buttons:

   Note: The radio button selection determines the available fields in the Attribute Fields group box.

   • Static

     Returns data that remains constant.

     Use a static attribute to return a string as part of a SiteMinder response. This type of response can be used to provide information to a Web application. For example, if a group of users has specific customized content on a Web site, the static response attribute, show_button = yes, could be passed to the application.

   • User Attribute

     Returns profile information from a user's entry in a user directory.

     This type of response attribute returns information associated with a user in a directory. A user attribute can be retrieved from an LDAP, WinNT, or ODBC user directory.

     For the Policy Server to return values from user directory attributes as response attributes, the user directories must be configured in the User Directory dialog box.

   • DN Attribute

     Returns profile information from a directory object in an LDAP or ODBC user directory.

     This type of attribute is used to return information associated with directory objects to which the user is related. Groups to which a user belongs, and Organizational Units (OUs) that are part of a user DN, are examples of directory objects whose attributes can be treated as DN attributes.

     For example, you can use a DN attribute to return a company division for a user, based on the user's membership in a division.

     Note: For the Account Partner to return an attribute containing DN attributes values, the user directories must be configured in the User Directory dialog box.

     If you select the DN Attribute radio button, you may also select the Allow Nested Groups check box. Selecting this check box allows SiteMinder to return an attribute from a group that is nested in another group specified by a policy. Nested groups often occur in complex LDAP deployments.

6. Optionally, if the attribute is retrieved from an LDAP user directory that contains nested groups (groups that contain other groups), and you want the Policy Server to retrieve DN attributes from the nested groups, select the Allow Nested Groups check box in the Attribute Kind group box.
7. Complete the necessary fields for you Attribute Kind and save the changes.