Require SAML Token Profile Assertion

Require SAML Token Profile
assertion allows you to require SAML constraints in a policy. SAML (Security Assertions Markup Language) validates a ticket to ensure that it falls within the required constraints. If validation succeeds, then the Gateway passes the message through to the service. If validation fails, then the Gateway returns a SOAP fault.
The Require SAML Token Profile assertion is a credential source that saves subject information for later authorization via the Authenticate User or Group assertion. This assertion can be used in tandem with the Protect Against Message Replay, Sign Element, and Encrypt Element assertions. This assertion is also used as a credential source for an identity bridging configuration.
The Require SAML Token Profile assertion supports both the SAML 1.1 and 2.0 standards.  
To avoid constraint conflicts, only a single Require SAML Token Profile assertion should be present in a policy.
To learn about selecting the target message for this assertion, see Selecting a Target Message.
To learn more about changing the WSS Recipient for this assertion, see Changing the WSS Assertion Recipient.
Context Variables Created by This Assertion
The Require SAML Token Profile assertion sets the following context variable after it is used to validate an Attribute Statement.
  • saml.attr
    is a fixed prefix for all context variables created by this assertion
  • <attribute_name>
    is the attribute that was validated, with the following transformations:
  • name is converted to lower case
  • non-alphanumeric characters changed to underscores ('_')
  • if the attribute begins with a number, an 'n' will be prepended
  • all attribute values will be converted to a string if not already a string
Technical tip:
 If the 
 begins or ends with white space, it cannot be accessed using the context variable described above. You must extract it using an XPath assertion instead.
If an attribute contains more than one value, a multivalued context variable is created.
An attribute named "fruit" with a single value "pear" can be accessed with the context variable
, which will yield "pear". If the attribute "fruit" contains multiple values, you can use
to access the first item,
for the second item, etc.
An attribute named "99 beers!" would be accessible as
Only attributes named in the assertion properties and validated are placed into context variables. Any other attributes that may be present in the SAML token are ignored (these may be validated using schema validation and/or XPath assertions if necessary).
Adding and Configuring the Assertion
  1. Add the Require SAML Token Profile assertion to the policy development window as described in Adding an Assertion. The
    SAML Token Profile Wizard
  2. Follow the wizard to complete the assertion. For details, see Configuring SAML Policies for Identity Bridging.
Editing the Assertion
  1. In the policy development window, right-click
    Require SAML <type> Statement
    and then select
    SAML Token Profile Wizard
    . The wizard is displayed in edit mode.
  2. In edit mode, each step in the wizard is represented by a tab. Select the appropriate tabs to edit. For more information about each tab, refer to the following table for the corresponding step in the SAML Token Profile Wizard.
    For information on the tab...
    See this step in the SAML Token Profile Wizard...
    SAML Version
    Step 2: SAML Version
    SAML Statement Type
    Step 3: SAML Statement Type
    Authentication Methods
    Step 4: Authentication Methods
    Authorization Statement
    Step 5: Authorization Statement
    Attribute Statement
    Step 6: Attribute Statement
    Subject Confirmation
    Step 7: Subject Confirmation
    Name Identifier
    Step 8: Name Identifier
    Step 9: Conditions
  3. Click [
    ] when done.