Federation Security Services Guide › Configure SiteMinder as a SAML 1.x Producer › Configure Attributes to Include in SAML 1.x Assertions (Optional) › Configure Attributes for SAML 1.x Assertions

Configure Attributes for SAML 1.x Assertions

You can configure responses to pass attributes from a SAML assertion to a target application at the consumer site.

To configure an attribute for an assertion

1. In the Affiliate Properties dialog, select the Attributes tab.
2. Click Create.

   The Affiliate Attribute Editor dialog opens.

3. From the Attribute drop-down list, select whether you want to configure a header or cookie variable.
4. From the Attribute Setup tab, select one of the following options in the Attribute Kind group box:
   • Static
   • User Attribute
   • DN Attribute

   If you select the DN Attribute, you can also select the Allow Nested Groups check box. Selecting this check box allows SiteMinder to return an attribute from a group that is nested in another group specified by a policy. Nested groups often occur in complex LDAP deployments.

   Your selection from the Attribute drop-down list and the response attribute type you select determine the available fields in the Attribute Fields group box.

5. Complete the fields for the Attribute Kind you select. The Attribute Kind that you select determines which additional fields you must configure.

   Static

   Fill in the following fields:

   • Variable Name

     Enter the name for the attribute SiteMinder returns to the affiliate.

   • Variable Value

     Enter the static text as the value for the name/value pair.

     For example, to return the name/value pair show_content=yes, enter show_content as the variable name and yes as the variable value.

   User Attribute

   Fill in the following fields:

   • Variable Name

     Enter the name for the attribute SiteMinder returns to the consumer.

   • Attribute Name

     Enter the attribute in the user directory for the name/value pair.

     For example, to return the email address of a user to the consumer, enter email_address as the Variable Name, and email as the Attribute Name.

   DN Attribute

   Fill in the following fields:

   • Variable Name

     Enter the name for the attribute SiteMinder returns to the consumer.

   • DN Spec

     Enter the distinguished name of the user group from which SiteMinder retrieves the user attribute. The DN must be related to the users for whom you want to return values to the consumer. If you do not know the DN, click Lookup. Use the SiteMinder User Lookup dialog to locate the user group and select a DN.

   • Attribute Name

     Enter the attribute in the user directory for this attribute for the name/value pair.

   Note: If you selected Affiliate-HTTP-Cookie-Variable from the Attribute menu, the Variable Name field label changes to Cookie Name.

6. (Optional) if the LDAP user directory contains nested groups, and you want the Policy Server to retrieve DN attributes from the nested groups, select the Allow Nested Groups check box in the Attribute Kind group box.
7. Click OK to save your changes.

Specify the Maximum Length of Assertion Attributes

The maximum length for user assertion attributes is configurable. To modify the maximum length of assertion attributes, change the settings in the EntitlementGenerator.properties file.

Note: The property name in the file is specific to the protocol you are configuring.

Follow these steps:

1. On the system where the Policy Server is installed, navigate to policy_server_home\config\properties\EntitlementGenerator.properties.
2. Open the file in a text editor.
3. Adjust the maximum user attribute length for the protocols in use in your environment. The settings for each protocol are as follows:

   WS-Federation

   Property Name: com.netegrity.assertiongenerator.wsfed.MaxUserAttributeLength

   Property Type: Positive Integer value

   Default Value: 1024

   Description: Indicates the maximum attribute length for WS-FED assertion attributes.

   SAML 1.x

   Property Name: com.netegrity.assertiongenerator.saml1.MaxUserAttributeLength

   Property Type: Positive Integer value

   Default Value: 1024

   Description: Indicates the maximum attribute length for SAML1.1 assertion attributes.

   SAML 2.0

   Property Name: com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength

   Property Type: Positive Integer value

   Default Value: 1024

   Description: Indicates the maximum attribute length for SAML2.0 assertion attributes

4. Restart the Policy Server after any change to these parameters.