Attributes can provide information about a user requesting access to a Service Provider resource. An attribute statement passes user attributes, DN attributes, or static data from the Identity Provider to the Service Provider in a SAML assertion. Any configured attributes are included in the assertion in one <AttributeStatement> element or the <EncryptedAttribute> element in the assertion.
Note: Attribute statements are not required in an assertion.
Servlets, web applications, or other custom applications use attributes to display customized content or enable other custom features. When used with web applications, attributes can implement fine-grained access control by limiting what a user can do at the Service Provider. For example, you can send an attribute variable named Authorized Amount set to a maximum dollar amount. The amount is the limit that the user can spend at the Service Provider.
Attributes take the form of name/value pairs. When the Service Provider receives the assertion, it takes the attribute values and makes them available to applications.
Attributes can be made available as HTTP Headers or HTTP Cookies.
The HTTP headers and HTTP cookies have size restrictions that assertion attributes cannot exceed. The size restrictions are as follows:
Configure attributes in the Attributes tab of the Service Provider Properties dialog. Configuration involves choosing an Attribute Kind then filling in values for the variable name and attribute value.
Indicate whether an attribute that you configure is for a single sign-on request, or for an attribute query request. The retrieval method that you configure determines the function of the attribute.
To use the same attribute for both services, create two attribute statements that use the same attribute name and variable. However, one attribute uses SSO as the retrieval method and one uses Attribute Service as the retrieval method.
Copyright © 2012 CA.
All rights reserved.
|
|