FederationFederation Security Services GuideUse an Attribute Authority to Authorize Users › Set up the Attribute Authority

Previous Topic: Configure an Attribute Authority and a SAML Requester

Next Topic: Configure Attributes at the Attribute Authority

Set up the Attribute Authority

In a SiteMinder context, the Attribute Authority is the Identity Provider with the Attribute Authority service enabled.

Note: You do not need to configure other Identity Provider features, such as single sign-on to have the Identity Provider act as an Attribute Authority.

To configure a SiteMinder Attribute Authority

  1. Log on to the Policy Server User Interface.
  2. From the appropriate affiliate domain, double-click the Service Provider, acting as the SAML Requester, that will be requesting user attributes.

    The SAML Service Provider Properties dialog opens.

  3. Select the Attribute Svc tab.
  4. Check Enabled to enable the Attribute Authority feature.
  5. (Optional) Modify the value of the Validity Duration. You can accept the default of 60 seconds.

    Modify this setting only if you want the assertion to be valid for longer than 60 seconds.

    Note: Click Help for a description of fields, controls, and their respective requirements.

  6. (Optional) Configure one or both of the signing settings. Neither of these settings are required.
    Require Signed Attribute Query

    Check this option if you want to the Attribute Authority to accept only signed queries from the SAML Requester.

    Signing Options

    Select one of the options to sign the attribute assertion, the SAML response, both, or neither when they are returned to the SAML Requester.

  7. Select a namespace in the User Lookup box and click Edit.

    The Attribute Service Namespace Mapping dialog opens.

  8. In the Search Specification field, enter a namespace attribute that the authentication scheme uses to search string, then click OK.

    Use %s in the entry as the variable that represents the NameID. For example, the NameID has a value of user1. If you specify Username=%s in the Search Specification field, the resulting string is Username=user1. This string is checked against the user store to find the correct record for authentication.

  9. Click OK.

    You return to the Attribute Svc tab.

  10. Click OK to save your changes.
  11. Go to Configure the Attributes at the Attribute Authority.

More Information

Attribute Authority and Query Reference