Previous Topic: Configure Attributes for Assertions (optional)Next Topic: Using a Script to Create A New Attribute

Federation Security Services GuideConfigure SiteMinder as a SAML 2.0 Identity ProviderConfigure Attributes for Assertions (optional)Configure Attributes for SSO Assertions

Configure Attributes for SSO Assertions

Attributes can provide information about a user requesting access to a Service Provider resource. An attribute statement passes user attributes, DN attributes, or static data from the Identity Provider to the Service Provider in a SAML assertion.

To configure an attribute

  1. In the Service Provider Properties dialog box, click on the Attributes tab.
  2. Click Create.

    The SAML Service Provider Attribute dialog box opens.

    Note: Click Help for a description of fields, controls, and their respective requirements.

  3. From the Attribute drop down list, select the name format identifier, as specified by the <NameFormat> attribute within the <Attribute> element of an assertion attribute statement. This value classifies the attribute name so that the Service Provider can interpret the name.

    The options are:

    unspecified

    Determines how the name interpretation is left to your implementation

    basic

    Indicates that the name format must use acceptable values from the set of values belonging to the primitive type xs:Name.

    URI

    Indicates that the name format must follow the standards for a URI reference. How the URI is interpreted is specific to the application using the attribute value.

  4. From the Attribute Setup tab, select one of the following radio buttons in the Attribute Kind group box. Your selection of the Attribute Kind radio button determines the available fields in the Attribute Fields group box.
    Static

    Returns data that remains constant.

    User Attribute

    Returns profile information from a user’s entry in a user directory.

    Note: For attributes from an LDAP user store, you can add multi-valued user attributes to an assertion. Review the Help for the Attribute Name field in this dialog for information about multi-valued attributes.

    DN Attribute

    Returns profile information from a directory object in an LDAP or ODBC user directory.

    If you select the DN Attribute radio button, you can also select Allow Nested Groups. Selecting this check box allows SiteMinder to return an attribute from a group that is nested in another group. Nested groups often occur in complex LDAP deployments.

  5. Configure the relevant fields in the Attribute Fields section of the dialog. The settings vary depending on the Attribute Kind selection. The options are:
  6. (Optional) if the attribute is retrieved from an LDAP user directory that contains nested groups (groups that contain other groups), and you want the Policy Server to retrieve DN attributes from the nested groups, select the Allow Nested Groups check box in the Attribute Kind group box.
  7. (Optional) if you want the attribute values encrypted, select the Encrypted checkbox.
  8. For the Retrieval Method, accept the default value SSO to ensure this attribute is used for single sign-on assertions and not for attribute assertions.
  9. Click OK to save the changes.