Previous Topic: Authorize Users with Attributes from an Assertion QueryNext Topic: Configure Attributes at the Attribute Authority

Federation Security Services GuideAuthorize Users with Attributes from an Assertion QuerySet up the Attribute Authority

Set up the Attribute Authority

In a SiteMinder context, the Attribute Authority is the Identity Provider with the Attribute Authority service enabled.

Note: You do not need to configure other Identity Provider features, such as single sign-on to have the Identity Provider act as an Attribute Authority.

To configure a SiteMinder Attribute Authority

  1. Log on to the FSS Administrative UI.
  2. From the appropriate affiliate domain, double-click the Service Provider, acting as the SAML Requester, that requests the user attributes.

    The SAML Service Provider Properties dialog opens.

  3. Select the Attribute Svc tab.
  4. Select Enabled to enable the Attribute Authority feature.
  5. (Optional) Modify the value of the Validity Duration. You can accept the default of 60 seconds.

    Modify this setting only if you want the assertion to be valid for longer than 60 seconds.

    Note: Click Help for a description of fields, controls, and their respective requirements.

  6. (Optional) Configure one or both of the signing settings. Neither of these settings are required.
    Require Signed Attribute Query

    Select this option if you want to the Attribute Authority to accept only signed queries from the SAML Requester.

    Signing Options

    Select one of the options to sign the attribute assertion, the SAML response, both, or neither when they are returned to the SAML Requester.

  7. Select a namespace in the User Lookup section and click Edit.

    The Attribute Service Namespace Mapping dialog opens.

  8. In the Search Specification field, enter a namespace attribute that the authentication scheme uses to search string, then click OK.

    Use %s in the entry as the variable that represents the NameID. For example, the NameID has a value of user1. If you specify Username=%s in the Search Specification field, the resulting string is Username=user1. This string is verified against the user store to find the correct record for authentication.

  9. Click OK.

    You return to the Attribute Svc tab.

  10. Click OK to save your changes.
  11. Go to Configure the Attributes at the Attribute Authority.