SAML 2.0 Attribute Configuration

Specifies the format for the attribute that is part of a SAML assertion. Options are:
casso1283
HID_sp-add-attribute-config
The Add Attributes page lets you configure attributes that the Identity Provider or Attribute Authority return to the relying party.
  • Attribute Type
Specifies the format for the attribute that is part of a SAML assertion. Options are:
  • unspecified
  • basic
  • uri
Refer to the SAML 2.0 specification for definitions of these formats.
Attribute Setup -- Attribute Kind
The Attribute Kind section contains options that allow you to specify the attribute type:
  • Static
    Returns data that remains constant. Use a static attribute to include as part of an assertion. Specify static values in the Variable Name and Variable Value fields.
    Use a static attribute to return a string as part of a
    SiteMinder
    response. This type of response can be used to provide information to a web application. For example, if a group of users has specific customized content on a website, the static response attribute, show_button = yes, could be passed to the application.
  • User Attribute
    Returns profile information from a user entry in a user directory.
    This type of response attribute returns information that is associated with a user in a directory. A user attribute can be retrieved from an LDAP, WinNT, or ODBC user directory.
    For the Policy Server to return values from the user directory attributes as response attributes, the user directories are configured in the User Directory dialog.
    For attributes from an LDAP user store, you can add multi-valued user attributes to an assertion. Review the Help for the Attribute Name field in this dialog for information about mult-ivalued attributes.
    For the
    SiteMinder
    IdP to return values from a user directory, configure the user directory in the User Directory settings.
  • DN Attribute
    Returns profile information from a directory object in a user directory. Groups and Organizational Units (OUs) that are part of a user DN are examples of directory objects whose attributes can be treated as DN attributes. For example, use a DN attribute to return a company division for a user that is based on the membership of that user in a division.
    Activates the Variable Name, DN Spec, and Attribute Name, which you configure to add the attribute to the assertion.
    Selecting a DN Attribute also activates the Allow Nested Groups check box. Allowing nested groups lets
    SiteMinder
    return an attribute from a group that is nested in another group that a policy specifies. Nested groups often occur in complex LDAP deployments.
    For the Identity Provider to return an assertion containing DN attributes, the user directories are configured in the User Directory settings.
  • Allow Nested Groups
    Indicates that nested groups are allowed when selecting the DN. Enabled if the DN Attribute is selected.
  • Encrypted
    Instructs
    SiteMinder
    to encrypt the DN attribute.
  • Retrieval Method
    Specifies the intended use of the attribute.
    Limits:
    • SSO
      Indicates that the attribute is used for single sign-on.
    • Attribute Service
      Indicates that the attribute is for use by the Attribute Authority to complete requests from an attribute query.
casso1283
Attribute Setup--Attribute Fields
Complete the fields for the Attribute Kind that you selected. A combination of different fields becomes available depending on the attribute type (static, user attribute, DN attribute).
  • Variable Name
    Designates the name for the attribute that the Policy Server returns in the assertion. Complete this field for any attribute type.
  • Variable Value
    (Static only) Defines the static text as the value for the name/value pair.
  • Attribute Name (User and DN Attributes only)
    Specifies the user directory attribute the Policy Server uses for the name/value pair. Enter a valid attribute from a user directory and its associated values.
    For User Attributes only:
    LDAP supports attributes with multiple values. By default, the Policy Server joins multiple LDAP attribute values together with the caret symbol (^) to create a single assertion attribute value. To indicate that a multi-valued LDAP attribute result in a multi-valued assertion attribute, use the prefix
    FMATTR:
    with the attribute name.
    The prefix must be uppercase. We recommended that the case of the attribute you enter matches the case of the attribute in the LDAP directory.
    Example:
    To add the user attribute
    mail
    with multiple attribute values, enter
    FMATTR:mail
    .
    Each value is specified as a separate <AttributeValue> element in the assertion. The example result is:
    <ns2:Attribute Name="mail">
    <ns2:AttributeValue>[email protected]</ns2:AttributeValue>
    <ns2:AttributeValue>[email protected]</ns2:AttributeValue>
    <ns2:AttributeValue>[email protected]</ns2:AttributeValue>
    </ns2:Attribute>
    Without the FMATTR: prefix (the attribute name is
    mail
    )
    , the example result is:
    <ns2:Attribute Name="mail">
    <ns2:AttributeValue>[email protected]^[email protected]^[email protected]</ns2:AttributeValue>
    </ns2:Attribute>
  • DN Spec
    (DN Attribute only) Specifies the DN of the user or user group and the name of the user attribute in the Attribute Name field.
The Advanced section contains the following field:
  • Script
    Displays the script that
    SiteMinder
    generates based on your entries in the Attribute Setup tab. You can copy the contents of this field and paste them into the Script field for another response.
    If you copy and paste the contents of the Script field for another entitlement, select the appropriate option in the Attribute Kind section of the Attribute Setup.