SAML 2.0 Attribute Configuration
Specifies the format for the attribute that is part of a SAML assertion. Options are:
casso1283
HID_sp-add-attribute-config
- Attribute Type
Specifies the format for the attribute that is part of a SAML assertion. Options are:
- unspecified
- basic
- uri
Refer to the SAML 2.0 specification for definitions of these formats.
Attribute Setup -- Attribute Kind
The Attribute Kind section contains options that allow you to specify the attribute type:
- StaticReturns data that remains constant. Use a static attribute to include as part of an assertion. Specify static values in the Variable Name and Variable Value fields.Use a static attribute to return a string as part of aSiteMinderresponse. This type of response can be used to provide information to a web application. For example, if a group of users has specific customized content on a website, the static response attribute, show_button = yes, could be passed to the application.
- User AttributeReturns profile information from a user entry in a user directory.This type of response attribute returns information that is associated with a user in a directory. A user attribute can be retrieved from an LDAP, WinNT, or ODBC user directory.For the Policy Server to return values from the user directory attributes as response attributes, the user directories are configured in the User Directory dialog.For attributes from an LDAP user store, you can add multi-valued user attributes to an assertion. Review the Help for the Attribute Name field in this dialog for information about mult-ivalued attributes.For theSiteMinderIdP to return values from a user directory, configure the user directory in the User Directory settings.
- DN AttributeReturns profile information from a directory object in a user directory. Groups and Organizational Units (OUs) that are part of a user DN are examples of directory objects whose attributes can be treated as DN attributes. For example, use a DN attribute to return a company division for a user that is based on the membership of that user in a division.Activates the Variable Name, DN Spec, and Attribute Name, which you configure to add the attribute to the assertion.Selecting a DN Attribute also activates the Allow Nested Groups check box. Allowing nested groups letsSiteMinderreturn an attribute from a group that is nested in another group that a policy specifies. Nested groups often occur in complex LDAP deployments.For the Identity Provider to return an assertion containing DN attributes, the user directories are configured in the User Directory settings.
- Allow Nested GroupsIndicates that nested groups are allowed when selecting the DN. Enabled if the DN Attribute is selected.
- EncryptedInstructsSiteMinderto encrypt the DN attribute.
- Retrieval MethodSpecifies the intended use of the attribute.Limits:
- SSOIndicates that the attribute is used for single sign-on.
- Attribute ServiceIndicates that the attribute is for use by the Attribute Authority to complete requests from an attribute query.
casso1283
Attribute Setup--Attribute Fields
Complete the fields for the Attribute Kind that you selected. A combination of different fields becomes available depending on the attribute type (static, user attribute, DN attribute).
- Variable NameDesignates the name for the attribute that the Policy Server returns in the assertion. Complete this field for any attribute type.
- Variable Value(Static only) Defines the static text as the value for the name/value pair.
- Attribute Name (User and DN Attributes only)Specifies the user directory attribute the Policy Server uses for the name/value pair. Enter a valid attribute from a user directory and its associated values.For User Attributes only:LDAP supports attributes with multiple values. By default, the Policy Server joins multiple LDAP attribute values together with the caret symbol (^) to create a single assertion attribute value. To indicate that a multi-valued LDAP attribute result in a multi-valued assertion attribute, use the prefixFMATTR:with the attribute name.The prefix must be uppercase. We recommended that the case of the attribute you enter matches the case of the attribute in the LDAP directory.Example:To add the user attributemailwith multiple attribute values, enterFMATTR:mail.Each value is specified as a separate <AttributeValue> element in the assertion. The example result is:<ns2:Attribute Name="mail"><ns2:AttributeValue>[email protected]</ns2:AttributeValue><ns2:AttributeValue>[email protected]</ns2:AttributeValue><ns2:AttributeValue>[email protected]</ns2:AttributeValue></ns2:Attribute>Without the FMATTR: prefix (the attribute name ismail), the example result is:<ns2:Attribute Name="mail"></ns2:Attribute>
- DN Spec(DN Attribute only) Specifies the DN of the user or user group and the name of the user attribute in the Attribute Name field.
The Advanced section contains the following field:
- ScriptDisplays the script thatSiteMindergenerates based on your entries in the Attribute Setup tab. You can copy the contents of this field and paste them into the Script field for another response.If you copy and paste the contents of the Script field for another entitlement, select the appropriate option in the Attribute Kind section of the Attribute Setup.