Customize a SAML Response Element (optional)

Federation Security Services Guide › Configure SiteMinder as a SAML 2.0 Identity Provider › Customize a SAML Response Element (optional)

Customize a SAML Response Element (optional)

The Assertion Generator produces SAML assertions to authenticate users in a federated environment. You may want to modify the assertion content based on your business agreements between partners and vendors.

By configuring an Assertion Generator plug-in, you can customize the content of a SAML 2.0 response generated by the Assertion Generator.

To modify a response element using the Assertion Generator plug-in

Implement the plug-in class.
A sample class, AssertionSample.java, can be found in sdk/samples/assertiongeneratorplugin.
Configure the Assertion Generator plug-in from the Advanced tab of the SAML Service Provider Properties dialog box.
Note: Specify an Assertion Generator plug-in for each Service Provider.
1. In the Full Java Class Name field, enter the Java class name of the plug-in. This plug-in is invoked by the Assertion Generator at run time.
  The plug-in class can parse and modify the assertion, and then return the result to the Assertion Generator for final processing.
  
  Only one plug-in is allowed for each Service Provider. For example, com.mycompany.assertiongenerator.AssertionSample
  
  A sample plug-in is included in the SDK. You can view a sample assertion plug-in at sdk/samples/assertiongeneratorplugin.
2. Optionally, in the Parameters field, enter the string that gets passed to the plug-in as a parameter at run time.
  The string can contain any value; there is no specific syntax to follow.

Additional information about the Assertion Generator plug-in can be found as follows:

Reference information (method signatures, parameters, return values, data types), and also the new constructor for UserContext class, are in the Javadoc Reference. Refer to the AssertionGeneratorPlugin interface in the Javadoc.
Overview and conceptual information for authentication and authorization APIs is in the SiteMinder Programming Guide for Java.

Implement the AssertionGeneratorPlugin Interface

The first step in creating a custom assertion generator plug-in is to implement the AssertionGeneratorPlugin interface.

Follow these steps:

Provide a public default constructor method that contains no parameters.
Provide code so that the implementation is stateless. Many threads must be able to use a single plug-in class.
Implement methods in the interface to satisfy your requirements.

The implementation must include a call to the customizeAssertion methods. You can overwrite the existing implementations. See the following sample classes for examples:

SAML 1.x/WS-Federation: AssertionSample.java
SAML 2.0: SAML2AssertionSample.java

The sample classes are located in the directory /sdk/samples/assertiongeneratorplugin.

Note: The contents of the parameter string that your implementation passes into the customizeAssertion method is the responsibility of the custom object.

Deploy the Assertion Generator Plug-in

After you have coded your implementation class for the AssertionGeneratorPlugin interface, compile it and verify that SiteMinder can find your executable file.

To deploy the assertion generator plug-in

Compile the assertion plug-in Java file.
Compilation requires the following .jar files, which are installed with the Policy Server:
- policy_server_home/bin/jars/SmJavaApi.jar
- policy_server_home/bin/thirdparty/xercesImpl.jar
- policy_server_home/bin/endorsed/xalan.jar
In the JVMOptions.txt file, modify the -Djava.class.path value so it includes the classpath for the plug-in. This modification enables the plug-in to be loaded with the modified classpath. Locate the JVMOptions.txt file in the directory installation_home\siteminder\config.
Note: Do not modify the classpath for xercesImpl.jar, xalan.jar, or SMJavaApi.jar.
Enable the plug-in.