Assertion Configuration Dialog (SAML 2.0 IdP)

Contents
casso127
HID_assertion-config-saml2-idp
Contents
Name ID Configuration (SAML 2.0)
casso127
The NameID section lets you configure the Name Identifier, which names a user in a unique way in the assertion. The format of the Name Identifier establishes the type of content that is used for the ID. For example, if the format is an email address, the content can be [email protected]
This section displays the following settings:
  • Name ID Format
    Specifies the Name Identifier format.
    Options:
    Select the pull-down menu to see the list of options.
    For a description of each format, see the OASIS Security Assertion Markup Language (SAML) specifications.
  • Name ID Type
    Specifies the type of value that is entered for the Name ID.
    • Options:
    • Static
      Indicates that the Name ID is a constant in the value in the Value field.
    • User Attribute
      Indicates that the product obtains the Name ID by querying the user directory for the attribute entered in the Value field.
    • Session Attribute
      Indicates that the product obtains the Name ID by querying the session store for the attribute entered in the Value field.
    • DN Attribute (LDAP only)
      The query that obtains the attribute contains the DN attribute in the Value field and the DN in the DN Spec field. This option is primarily used to identity a group of users.
  • Value
    Specifies one of the following values:
    • Static text value of the Name ID for the Static ID type.
    • Value of a user attribute for the User Attribute ID type.
    • Value of a session store attribute for the Session Attribute type
    • Value of a DN attribute for the DN Type.
  • DN Specification
    Specifies the group or organizational unit DN used to obtain the associated attribute for the name identifier.
    Example:
    ou=Engineering,o=ca.com
  • Allow Creation of User Identifier (SAML 2.0 only)
    Indicates whether the the IdP can create a value for the Name ID and include it in an assertion. When the SP sends an AuthnRequest to the IdP, the SP can include an AllowCreate attribute in the request. This attribute together with this check box lets the IdP generate a Name ID value when it cannot find one in the existing user record. This value has to be a persistent identifier.
    The following table explains the interaction between the AllowCreate attribute and this check box.
    AllowCreate Attribute Value in AuthnRequest (SP)
    Allow Creation of User Identifier Setting (IdP)
    IdP Action
    AllowCreate=true
    Check box selected
    Creates Name ID value.
    AllowCreate=true
    Check box clear
    No action. IdP cannot create Name ID value.
    AllowCreate=false
    Check box selected
    No action. No Name ID value created. The attribute in the AuthnRequest overrides the IdP setting.
    AllowCreate=false
    Check box clear
    No action. No Name ID value created.
    No AllowCreate attribute
    Check box selected
    Creates Name ID value.
    No AllowCreate attribute
    Check box clear
    No action. No Name ID value created.
Assertion Attributes (SAML 2.0 IdP)
The Assertion Attributes section lets you specify which user attributes are included in the assertion.
This section displays the following settings:
  • Assertion Attribute
    Specifies a specific attribute for inclusion in the assertion. Specify the attribute that the relying party is expecting in the assertion. This entry is not necessarily a user store attribute.
    Value:
    Attribute name used at the relying party.
  • Retrieval Method
    Specifies the intended use of the attribute.
    Options:
    • SSO
      Indicates that the attribute is used for single sign-on.
    • Attribute Service
      Indicates the attribute is for use by the Attribute Authority to complete requests from an attribute query.
    • Both
      Indicates the attribute is for use by the Attribute Authority and SSO.
  • Format
    Specifies the format for the attribute that will be part of a SAML assertion. Options are:
    • unspecified
    • basic
    • uri
    Refer to the SAML 2.0 specification for definitions of these formats.
  • Type
    Specifies the type of attribute and source of the assertion attribute. 
    Options:
    Static
    Indicates the attribute is a constant value that you enter in the Value field.
    Value:
    Enter a constant
    value of the attribute for the Static type.
    User Attribute
    Obtains the attribute by querying a user directory for the attribute specified in the Value field.
    Value:
    Enter a valid attribute from a user directory and its associated values.
    For User Attributes only:
    LDAP supports attributes with multiple values. By default, the Policy Server joins multiple LDAP attribute values together with the caret symbol (^) to create a single assertion attribute value. To indicate that a multi-valued LDAP attribute result in a multi-valued assertion attribute, use the prefix
    FMATTR:
    with the attribute name.
    Note:
    The prefix must be uppercase. We recommended that the case of the attribute you enter matches the case of the attribute in the LDAP directory.
    Example:
    To add the user attribute
    mail
    with multiple attribute values, enter
    FMATTR:mail
    .
    Each value is specified as a separate <AttributeValue> element in the assertion. The example result is:
    <ns2:Attribute Name="mail">
    <ns2:AttributeValue>[email protected]</ns2:AttributeValue>
    <ns2:AttributeValue>[email protected]</ns2:AttributeValue>
    <ns2:AttributeValue>[email protected]</ns2:AttributeValue>
    </ns2:Attribute>
    Without the FMATTR: prefix (the attribute name is
    mail)
    , the example result is:
    <ns2:Attribute Name="mail">
    <ns2:AttributeValue>[email protected]^[email protected]^[email protected]</ns2:AttributeValue>
    </ns2:Attribute>
    Session Attribute
    Obtains the attribute by querying the session store for the attribute specified in the Value field.
    Value:
    Enter the value of a session attribute.
    DN Attribute (LDAP only)
    Obtains the attribute by sending a query with the DN attribute specified in the Value field and the DN specified in the DN Spec field. This option is primarily used to identity a group of users.
    Value:
    Enter a DN attribute.
    Expression
    Enter a string using the Java Unified Expression Language to transform, add, or delete an of attribute assertion.
    Value:
    Specify a JUEL expression.
     
  • DN Spec
    Specifies the DN when the attribute is of the DN type.
    Example:
    ou=Marketing,o=ca.com
     
  • Encrypt
    Indicates that the assertion attributes are encrypted at run time before the assertion is sent to the relying party.
Assertion Generator Plug-in (SAML 2.0 IdP)
casso127
The Assertion Generator Plug-in section lets you specify a written plug-in that
CA Single Sign-On
can use to add attributes to an assertion.
  • Plug-in Class
    Specifies the fully qualified Java class name of the plug-in. This plug-in is invoked at run time. Enter a name, for example:
    com.mycompany.assertiongenerator.AssertionSample
    The plug-in class can parse and modify the assertion, and then return the result to
    CA Single Sign-On
    for final processing. Only one plug-in is allowed for each relying party. A sample plug-in is included in the SDK. View a compiled sample plug-in, fedpluginsample.jar, in the directory
    federation_sdk_home
    \jar.
    You can also view source code for the sample plug-in in the directory
    federation_sdk_home
    \sample\com\ca\federation\sdk\plugin\sample.
  • Plug-in Parameters
    (Optional). Specifies the string that
    CA Single Sign-On
    passes to the plug-in as a parameter.
    CA Single Sign-On
    passes the string at run time. The string can contain any value; there is no specific syntax to follow.
    The plug-in interprets the parameters that it receives. For example, the parameter could be the attribute name or the string can contain an integer that instructs the plug-in to perform a task.