Federation Security Services Guide › Authorize Users with Attributes from an Assertion Query

Authorize Users with Attributes from an Assertion Query

This section contains the following topics:

Perform Authorizations with an Attribute Authority

Flow Diagram for Authorizing a User with User Attributes

How to Configure an Attribute Authority and a SAML Requester

Set up the Attribute Authority

Set up a SAML Requestor to Generate Attribute Queries

Perform Authorizations with an Attribute Authority

The Policy Server authorizes a user with the following types of information:

Users that are specified in the policy configuration
Policy expressions
Active policies
IP address restrictions
Time restrictions

The Policy Server also authorizes a user with user attributes that a SAML 2.0 Attribute Authority provides. When a user requests access to a protected resource, the Policy Server, as the authorizing entity, can request more user attributes. The Policy Server evaluates these attributes before granting access to the resource.

The SAML 2.0 Assertion Query/Request profile employs two entities:

SAML Attribute Authority
SAML Requester

SAML Attribute Authority

The SAML Attribute Authority relies on an Attribute Service to process a query message and add attributes to an assertion. These assertions contain user attributes that a SAML Requester uses to authorize access to protected resources. The Attribute Service is part of the Federation Web Services application.

When an entity makes a request to an Attribute Authority, the message contains the user attributes that the requester wants to retrieve. The message also contains the Name ID and the Issuer of the request. The Attribute Service uses the NameID to disambiguate the user so it knows what values to return for the requested attributes. The Attribute Service returns a response message that includes an attribute assertion that is wrapped in a SOAP message. This response includes the user attributes.

Note: The user does not need to be authenticated at the Attribute Authority. Also, there is no need for a single sign-on relationship between the Authority and the Requester.

SAML Requester

The SAML Requester is a SAML entity that uses the SAML 2.0 Assertion Query/Request profile to request attributes for a user. For SiteMinder, the SAML Requester is not a specific service, but a group of Policy Server features that can produce and process <AttributeQuery> messages. The Requester asks for the user attributes from the Attribute Authority because the protected target resource always resides at the SAML requester. The Requester resolves these attributes into variables that a policy expression uses.

Note: In a SiteMinder federated environment, the SAML Attribute Authority is the Identity Provider and the SAML Requester is the Service Provider. However, this condition does not have to be the case.

To evaluate an authorization request that is based on SAML 2.0 user attributes, add an attribute type named federation attribute variable to a policy expression. The policy protecting the target resource uses this variable. Based on the policy variable, the SAML Requester sends a query message to the Attribute Authority. This query message contains the Name ID for the SAML entity for which the attributes are being requested. The SAML Attribute Authority returns a response message containing assertions with the attribute statements.

A user must have a session at the SAML Requester; however, the user does not have to log in or authenticate at the Attribute Authority.

The following figure shows how an attribute query is processed.

Graphic showing how an attribute query is processed

Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack to provide the Federation Web Services application functions. For information about installing and configuring the SPS federation gateway, see the Secure Proxy Server Administration Guide.

Flow Diagram for Authorizing a User with User Attributes

The following flow diagram shows the authorization process with an Attribute Authority.

Graphic showing the Attribute Query Response

The sequence of a user attribute request is as follows:

A user accesses a protected resource. The user can log in locally or can be authenticated through a SAML assertion.
The Web Agent at the SAML Requester calls the local Policy Server determine whether the user is authorized to access the resource. The policy that protects the resource uses a policy expression for authorization with a federated attribute variable.
The Policy Server tries to resolve these variables but cannot. The Policy Server looks up the user in the local user store to obtain the NameID of the user.
An attribute query is sent to the AttributeService URL at the Attribute Authority. The AttributeQuery contains the users NameID and the requested attributes.
The Attribute Authority returns a SAML response containing an assertion with the requested attributes.
The SAML Requester completes the resolution of variables and then evaluates the policy expression.
An authorization status message is returned to the Web Agent.
Depending on the authorization status, the Web Agent allows or denies access to the requested resource.

How to Configure an Attribute Authority and a SAML Requester

In a SiteMinder context, the Attribute Authority is the Identity Provider.

To configure SiteMinder to act as a SAML Attribute Authority

Define a search specification for locating a user. Enter the NameID into the search specification.
Configure the back channel across which the Authority sends the response to a query.
Define the attributes that are returned in response to a query.
Grant users access to the attribute authority service.

In a SiteMinder context, the SAML Requester is the Service Provider.

To configure SiteMinder as a SAML Requester

Enable the attribute query functionality.
Configure the back channel across which the Requester receives the response from the Authority.
Define the list of attributes requested in the attribute query.
Configure the federation attribute variables.
Configure the NameID for inclusion in the attribute query.