Symantec Access Management

We are doing a Partnership federation and our SAML requests are SP initiated to IDP for an Authentication. Our clients are going to use the different languages in their browsers like example English, Spanish, Japanese, Chinese, Russian, and many languages.

Current URL format below:

http://sp_server:port/affwebservices/public/saml2authnrequest?ProviderID=IdP_ID&ProtocolBinding=URI_of_binding&RelayState=target_URL

We want to pass the Language details based upon the End User's language using in their browsers into the SAML 2.0 request initiated by Affiliated Web Services (WAOP) at SP end to IDP for an Authentication. Our IDP (third party) can serve different languages as well.

Please advise if anyone come across this kind of scenario to pass the Language details in the SAML requests. We don't want to use any static settings for multiple languages, it should work by taking the values dynamically from the user browser's language.

Below are scenario's.

English:

http://sp_server:port/affwebservices/public/saml2authnrequest?ProviderID=IdP_ID&ProtocolBinding=URI_of_binding&RelayState=target_URL&Lang=en

Spanish:

http://sp_server:port/affwebservices/public/saml2authnrequest?ProviderID=IdP_ID&ProtocolBinding=URI_of_binding&RelayState=target_URL&Lang=es

Appreciate your assistance!

Regards,

Soma

Am still trying to understand, as to why would it matter to IdP if end user application OR SP application is in any language, I am missing something here . The end user application content rendering could be in any language. SAML defines a common communication language protocol between two not so similar entities i.e. IdP and SP, irrespective of the fact whatever internally IdP and SP is setup as OR to be.

Is your intention that based on the SP Language you want to show the same Language Login Page on IdP Side. Also in this case does the Identity Store also support multilingual credential support i.e. you have usernames and password in different languages in the same Identity Store on IdP?

Inorder to change the look and feel of the HTML login.fcc please refer to this link.

https://wiki.ca.com/display/sm1252sp1/How+to+Configure+HTML+Forms+Authentication

Could you also suggest is SiteMinder being used on SP or IdP Side. I am assuming it is on SP Side since you referred to WAOP on SP.

Regards

Hubert

Hi Hubert,

Thanks for your response!

Yes, our intention that based on the SP Language we want to show the same Language Login Page on IdP Side.

Our Idp, does not support multilingual credential support, but it support the different languages display on their web pages/login pages.

Our goal is to initiate/select the Language based upon the end user's browser session and that one should passed to the Idp and then shows the same language login page and then finally reach the target with the same language after successful authentication.

The entire process should be seem less to the end users with their preferred language.

is there any procedure to validate this scenarios by using different languages and check the results?

We were trying to add the lang=en something like that, but it did not worked.

Please advise.

Thanks,

Soma

Thank You Soma syedubati.1

Okay one thing that makes it clear for now is that only external content rendering is internationalized. However all objects and credentials (i.e. in general all user input) would still be in English.

Please advice on the following,

• Where is SiteMinder being used? IdP or SP or both?
• What sort of Authentication Scheme are you planning to use initially on IdP End - if for starters if we work with forms / login.fcc as an example would that be fine.

Regards

Hubert

Preempting before your reply assuming SiteMinder is used on IdP.

Am thinking if we are using login.fcc the locale could be set using by dynamically populating the following directives in login.fcc.

Localization Name Value Pairs

The .fcc template files include two localization parameters:

• smlocale
  Used to determine the language used in the HTML forms that collect user information or display status messages.
  The value that is paired with smlocale corresponds to part of the name of a localization properties file. The localization properties file contains IDs mapped to text strings in the specified language.
  smlocale values have the following format:
  COUNTRY-LANGUAGE
  For example, the value for smlocale for United States English is:
  SMLOCALE=US-EN
• smenc
  Contains information that tells the browser what language encoding to use. Changing the default value for this variable overrides the encoding set in the following META tag:
  <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">

The question which I cannot answer for sure at the moment and which probably you may have to investigate is how the URL look on IdP Side when it is redirected to Authentication URL and from Authentication URL to Login.fcc. During the redirect to Login.fcc for challenging the user for credential, if there is a Query Parameter which could be set in the URL and subsequently be substituted as a value to "SMLOCALE" directive defined in login.fcc - then login.fcc should be display in localized language with localized error messages for failed login's etc.

Regards

Hubert

Hi Hubert,

Below are the answers to your questions.

• Where is SiteMinder being used? IdP or SP or both?

Answer:        SiteMinder is being used at SP end. The Idp is third-party (i.e NetIQ).

• What sort of Authentication Scheme are you planning to use initially on IdP End - if for starters if we work with forms / login.fcc as an example would that be fine.

Answer:      We are using SAML 2.0 Authentication schema which was created when we setup a Partnership Federation between SP to Idp.

Thanks,

Soma

Hmmmm okay

So the question is really you want to send language information in your AuthnRequest?

I doubt there is a way SiteMinder would be able to pick the LOCALE automatically from the users browser and stick it into AuthnRequest.

My recommendation would be this would need to be handled by the code logic (outside SiteMinder i.e. application code) which is building the AuthnRequest URL which would invoke SiteMinder Federation Services.

If (browserLocale=English) then build URL as

http://sp_server:port/affwebservices/public/saml2authnrequest?ProviderID=IdP_ID&ProtocolBinding=URI_of_binding&RelayState=/landingpage.html?lang=en

else if (browserLocale=Spanish) then build URL as

http://sp_server:port/affwebservices/public/saml2authnrequest?ProviderID=IdP_ID&ProtocolBinding=URI_of_binding&RelayState=/landingpage.html?Lang=es

Would recommend to use it as a Query Parameter instead of '&'.

The final thing I would do is check what SAML Specification state about handling internationalization. I'll see if I could find anything.

Regards

Hubert

Hi Hubert,

Thanks for your update!

I will also take a look into the SAML 2.0. Please let me know if you find anything.

Thanks,

Soma

I checked the SAML Specifications, could not find anything....

http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf

On the other hand I am thinking from a different perspective now i.e. The End User Browser is same. For e.g. I am using a Japanese Machine and opening a browser in that machine. The browser locale would be JP. I access the SP Application and get redirected to IdP on the same browser. The IdP Application / login page can very well read the locale from the browser and understand it is JP.

Why should SP bother sending the locale across to IdP, unless there is a different usecase i.e. I use a English Machine and access a content which is Japanese OR vice versa. Is this going to be case on your end???

Regards

Hubert

Hi Hubert,

Below are two scenarios.

Scenario 1:

Most of the Clients visit to their local offices or libraries and they access the application from the work stations deployed at respective locations.

End Users machine are in English, but the application can be selected any Language based upon the end user's Language. So we want to serve the application in that particular language. Our application support 10 different languages.

Scenario 2: (You mentioned it already)

The End User Browser is same. For e.g. I am using a Japanese Machine and opening a browser in that machine. The browser locale would be JP.

Thanks,

Soma