SAML 2.0 Authentication Scheme Attributes

Contents
casso10
HID_saml2-auth-attributes
Contents
The Attributes settings let you configure the attributes that the SAML requester can request from an Attribute Authority. The SAML requester includes attributes in an attribute query that it sends to the Attribute Authority.
SAML 2.0 Auth Scheme--Attribute Query Settings
Attribute Query
This section is where you enable the attribute query feature and you configure the operation of this feature at the Service Provider.
  • Enabled
    Enables
    CA Single Sign-On
    to generate attribute queries.
  • Require Signed Assertions
    Indicates that the SAML Requester only accepts attribute assertions that the Attribute Authority has signed. If the attribute is not signed, the requester rejects the assertion.
  • Sign Attribute Query
    Instructs the SAML requester to sign the attribute query before sending it to the Attribute Authority.
  • Get All Attributes
    Indicates that the attribute query retrieves all attributes that are configured at the Attribute Authority. Selecting this option results in an attribute query without any attributes; however, the Attribute Authority returns all the configured attributes for the subject.
    In some cases, selecting this option avoids some performance overhead. Less checking is done when constructing the query and verifying that requested attributes are still valid. However, if there are many configured attributes at the Attribute Authority and encryption is used, then this option can degrade performance.
  • Attribute Service
    Specifies the URL of the attribute service at the Attribute Authority.
    Value:
    Valid URL of less than 1024 characters
SAML 2.0 Auth Scheme--Name IDs for Attribute Queries
The Name IDs section is where you configure the Name ID in the attribute query. The fields in this section are configurable only if you enable the attribute query feature in the Attribute Query section of the page.
The fields on this section are:
  • Name ID Format
    Specifies the format of the Name ID. This value must match the format of the expected Name ID at the Attribute Authority or the request fails.
Name ID Type
This field defines the type of attribute that is used for the Name Identifier.
  • Static
    Indicates that the Name Identifier is the value in the Static Value field. Activates the Static Value field; disables other controls.
  • User Attribute
    Indicates that the Name Identifier is the value in the Attribute Name field. Activates the Attribute Name field; disables other controls.
  • DN Attribute
    Indicates that the Name Identifier is an attribute that is associated with a DN. Activates the User Attribute field, the DN Spec field, and the Allow Nested Groups check box; disables the Static Value field.
  • Allow Nested Groups
    Indicates that nested groups are allowed when selecting the DN. Enabled if the DN Attribute option is selected.
Name ID Fields
Contains fields that specify information about the selected Name Identifier. The fields in this section are context-sensitive, being determined according to the Name ID Type selection.
Static Value
Specifies the static text value that the Service Provider uses for all name identifier.
  • Attribute Name
    Specifies the name of the user attribute which contains the name identifier, or the attribute that is associated with a group or organizational unit DN.
  • DN Spec
    Specifies the group or organizational unit DN used for obtaining the associated attribute to be used as the name identifier.