Process SAML Attribute Query Request Assertion

The Process SAML Attribute Query Request assertion validates AttributeQuery requests based on user configuration. It also makes values and elements from an AttributeQuery available as context variables.
gateway90
The
Process SAML Attribute Query Request
assertion validates AttributeQuery requests based on user configuration. It also makes values and elements from an AttributeQuery available as context variables.
This assertion only supports SAML 2.0.
To learn about selecting the target message for this assertion, see Selecting a Target Message.
Context Variables Created by This Assertion
The Process SAML Attribute Query Request assertion sets the following context variables. The default
<prefix>
is "attrQuery" and can be changed in the assertion properties.
The 'subject' context variables in the table below (except for
subject.format
) will not be set if the NameID was encrypted and decryption was not configured.
Context variable
Type
Notes
<prefix>
.attributes
Element
(multivalued)
All Attribute elements contained in the AttributeQuery.
<prefix>
.subject
String
Value of the Subject's NameID.
<prefix>
.subject.nameQualifier
String
Subject's NameID's NameQualifier attribute value, if provided.
<prefix>
.subject.spNameQualifier
String
Subject's NameID's SPNameQualifier attribute value, if provided.
<prefix>
.subject.format
String
Subject's NameID's Format attribute value, if provided. Never empty; if not supplied, value will be
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
.
<prefix>
.subject.spProvidedId
String
Subject's NameID's SPProvidedID attribute value, if present.
<prefix>
.Id
String
AttributeQuery's ID attribute, if present.
<prefix>
.version
String
AttributeQuery's Version attribute, if present.
<prefix>
.issueInstant
String
AttributeQuery's IssueInstant attribute, if present.
<prefix>
.destination
String
AttributeQuery's Destination attribute, if present.
<prefix>
.consent
String
AttributeQuery's Consent attribute. If not supplied, the value will be
urn:oasis:names:tc:SAML:2.0:consent:unspecified
.
<prefix>
.issuer
String
AttributeQuery's Issuer element's value, if present.
<prefix>
.issuer.nameQualifier
String
Issuer's NameQualifier attribute value, if present.
<prefix>
.issuer.spNameQualifier
String
Issuer's SPNameQualifier attribute value, if present.
<prefix>
.issuer.format
String
Issuer's Format attribute value, if present.
<prefix>
.issuer.spProvidedId
String
Issuer's SPProvidedID attribute value, if present.
The following variables may also be set:
  • If decryption is configured and was performed (Decrypt EncryptedID check box in the properties), then all the context variables from the (Non-SOAP) Decrypt XML Element assertion will also be set. These variables include: 
       <prefix>
    .elementsDecrypted
       <prefix>
    .encryptionMethodUris
       <prefix>
    .recipientCertificates 
    The prefix used for those variables is the prefix specified in the the properties. For more information, see (Non-SOAP) Decrypt XML Element Assertion. 
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Add an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. Right-click
    Process SAML Attribute Query Request
    in the policy window and select
    SAML Attribute Query Request Properties
    or double-click the assertion in the policy window. The assertion properties are displayed.
  3. Configure the dialog as follows:
    Setting
    Description
    AttributeQuery Validation
    • SAML Version:
       Only SAML 2.0 is supported.
    • SOAP Encapsulated:
      Select this check box if the AttributeQuery is encapsulated within a SOAP envelope.
    Request Validation
    Select the appropriate check boxes to indicate which attribute or element must be present in an AttributeQuery request:
    Issuer
    Signature*
    ID
    Version
    IssueInstant
    Consent
    Destination**
    *This assertion does not validate or verify the signature. To validate the signature, use the (Non-SOAP) Verify XML Element assertion. To remove the signature, use the Add or Remove XML Element(s) assertion.
    **Select the
    Destination
    check box to indicate that a destination attribute is required. If the destination attribute must have an allowed value, enter all allowed values in the adjacent text box. Enter in as many values as needed separated by a space. You may specify URIs or context variables of type String (variables that resolve to an empty string or non-string are ignored and will not cause assertion failure, but a 'Warning' audit is logged). Context variables may contain space-separated URI strings.
    If an attribute/element has been configured but is missing, the assertion will fail.
    Subject Validation
    • Allow:
      Select the supported Subject identifiers:
      NameID
      EncryptedID
      If [
      EncryptedID
      ] is permitted, select the
      Decrypt EncryptedID
      check box to decrypt the EncryptedID and update the message with the result of the decryption.
      The "Require Format" and "Allowed NameID Format" validation are applied only when either a NameID was included in the AttributeQuery or if an EncryptedID was received and decrypted. If decryption was not selected, then this validation cannot be performed. Additionally, context variables related to the NameID will not be set.
    • Require format:
      Select this check box to require the Format attribute to be present on the NameID, otherwise the assertion will fail. Clear this check box if the Format attribute is not required. If no format attribute is supplied, it will have the following default value:
      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
      .
    • Allowed NameID formats:
      Select the supported NameID formats from the list. By default,
      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
       is selected as this is the default value of this attribute when no value is supplied.
    • Custom:
      If the NameID format you need is not listed, enter a set of custom Format URI values here.
      Enter in as many values as needed separated by a space. You may specify URIs or context variables of type String (variables that resolve to an empty string are ignored and will not cause assertion failure, but a "Warning" audit is logged). Context variables may be single or multivalued. Single-valued variables may contain space-separated URI strings. 
    SAML Attribute Validation
    This section configures the rules for the saml:Attributes contained in the Attribute Query.
    • Require Attributes:
       Select this check box to fail the assertion if an empty AttributeQuery is received. Clear the check box if attributes are not required.
    • Verify unique Name + NameFormat:
      Select this check box to fail the assertion if there are any logical duplicate attributes. Note that the AttributeValue (if any) is not considered in this check.
    • Require NameFormat:
      Select this check box to fail the assertion if the NameFormat attribute is not present. Clear this check box if the NameFormat attribute is not required.
    • Allowed NameFormats:
      Select the supported NameFormats from the list. By default,
      urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
       is selected as this is the default value of this attribute when no value is supplied.
    • Custom:
      If the NameFormat you need is not listed, enter a set of custom NameFormat URI values here.
      Enter in as many values as needed separated by a space. You may specify URIs or context variables of type String (variables that resolve to an empty string are ignored and will not cause assertion failure, but a 'Warning' audit is logged). Context variables may be single or multivalued. Single-valued variables may contain space-separated URI strings. 
    Variable Prefix
    Enter a prefix that will be added to the context variables created by this assertion. This prefix will ensure uniqueness and will prevent the variables from overwriting each other when multiple instances of this assertion appear in a policy.
    The default variable prefix is
    attrQuery
    .
    For an explanation of the validation messages displayed, see Context Variable Validation.
  4. Click [
    OK
    ]
    when done.