Previous Topic: Configure Attributes for WS-Federation Assertions (optional)Next Topic: Use a Script to Create a New Attribute

Federation Security Services GuideConfigure SiteMinder as an Account PartnerConfigure Attributes for WS-Federation Assertions (optional)Configure Assertion Attributes for WS-Federation

Configure Assertion Attributes for WS-Federation

To configure assertion attributes

  1. Log on to the FSS Administrative UI.
  2. In the Resource Partner Properties dialog, click on the Attributes tab.
  3. Click Create.

    The Resource Partner Attribute dialog box opens.

  4. From the Attribute drop down list, select the name format identifier, which is specified by the <NameFormat> attribute in the <Attribute> element of an assertion attribute statement. This value classifies the attribute name so that the Resource Partner can interpret the name.

    The options are:

    For more information on these options, refer to the WS-Federation specification.

  5. On the Attribute Setup tab, select one of the following radio buttons:

    Note: The radio button selection determines the available fields in the Attribute Fields group box.

    Static

    Returns data that remains constant.

    Use a static attribute to return a string as part of a SiteMinder response. This type of response can be used to provide information to a Web application. For example, if a group of users has specific customized content on a Web site, the static response attribute, show_button = yes, could be passed to the application.

    User Attribute

    Returns profile information from a user’s entry in a user directory.

    This type of response attribute returns information associated with a user in a directory. A user attribute can be retrieved from an LDAP, WinNT, or ODBC user directory.

    For the Policy Server to return values from user directory attributes as response attributes, the user directories must be configured in the User Directory dialog box.

    DN Attribute

    Returns profile information from a directory object in an LDAP or ODBC user directory.

    This type of attribute is used to return information associated with directory objects to which the user is related. Groups to which a user belongs, and Organizational Units (OUs) that are part of a user DN, are examples of directory objects whose attributes can be treated as DN attributes.

    For example, you can use a DN attribute to return a company division for a user, based on the user’s membership in a division.

    Note: For the Account Partner to return an attribute containing DN attributes values, the user directories must be configured in the User Directory dialog box.

    If you select the DN Attribute radio button, you may also select the Allow Nested Groups check box. Selecting this check box allows SiteMinder to return an attribute from a group that is nested in another group specified by a policy. Nested groups often occur in complex LDAP deployments.

    Note: For attributes from an LDAP user store, you can add multi-valued user attributes to an assertion.

  6. Optionally, if the attribute is retrieved from an LDAP user directory that contains nested groups (groups that contain other groups), and you want the Policy Server to retrieve DN attributes from the nested groups, select the Allow Nested Groups check box in the Attribute Kind group box.
  7. Complete the necessary fields for you Attribute Kind and save the changes.

Specify the Maximum Length of Assertion Attributes

The maximum length for user assertion attributes is configurable. To modify the maximum length of assertion attributes, change the settings in the EntitlementGenerator.properties file.

Note: The property name in the file is specific to the protocol you are configuring.

Follow these steps:

  1. On the system where the Policy Server is installed, navigate to policy_server_home\config\properties\EntitlementGenerator.properties.
  2. Open the file in a text editor.
  3. Adjust the maximum user attribute length for the protocols in use in your environment. The settings for each protocol are as follows:

    WS-Federation

    Property Name: com.netegrity.assertiongenerator.wsfed.MaxUserAttributeLength

    Property Type: Positive Integer value

    Default Value: 1024

    Description: Indicates the maximum attribute length for WS-FED assertion attributes.

    SAML 1.x

    Property Name: com.netegrity.assertiongenerator.saml1.MaxUserAttributeLength

    Property Type: Positive Integer value

    Default Value: 1024

    Description: Indicates the maximum attribute length for SAML1.1 assertion attributes.

    SAML 2.0

    Property Name: com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength

    Property Type: Positive Integer value

    Default Value: 1024

    Description: Indicates the maximum attribute length for SAML2.0 assertion attributes

  4. Restart the Policy Server after any change to these parameters.