Layer7 Access Management

Expand all | Collapse all

SAML SP Post HTTP Headers

  • 1.  SAML SP Post HTTP Headers

    Posted 03-17-2015 08:55 AM

    Hi All,

     

    I have a query. We integrated a SAAS provider with SAML2 HTTP Post. SiteMinder is acting as the IDP and SAAS provider as the SP (Service Provider).

     

    The SAAS provider requires that we provide a HTTP Header value as part of the SAML Post message. Is this something that would be achievable. i.e. the user authenticates against SiteMinder SPS. On successful authentication and authorisation the user is redirected to the SAAS provider with the appropriate HTTP Header value as part of the post message.

     

    Any suggestions would be appreciated.

     

    Kind regards,

    Bjorn



  • 2.  Re: SAML SP Post HTTP Headers

    Posted 03-17-2015 09:07 AM

    Bjorn Bjorn_Gluck

     

    Yes it is OOB functionality.

     

    Here is the link for Legacy Federation, The same is also true for Partnership federation.

     

    The IdP can pass additional information about the User in the assertion as additional assertion attributes.

     

    https://wiki.ca.com/display/sm1252sp1/%28Optional%29+Configure+Attributes+for+Assertions

     

     

    Regards

     

    Hubert



  • 3.  Re: SAML SP Post HTTP Headers

    Posted 04-02-2015 11:14 AM

    Hi Hubert,

     

    Thank you very much for the information. I have been looking
    at this, but have not been able to resolve this.

     

    Basically once the user is authenticated by SiteMinder, the
    user is redirected to the SAAS provider. The SAAS provider requires that a HTTP
    Header of Access-Control-Allow-Origin: https://***.***.com<https:// ***.***.com/>
    is present. Is there a way to achieve this?

     

    Kind regards,

    Bjorn



  • 4.  Re: SAML SP Post HTTP Headers

    Posted 04-02-2015 12:05 PM

    Thank You Bjorn Bjorn_Gluck

     

    There are 3 options we have here.

     

    A]. If this is a static value for all User (i.e. remain same for all user) then we could configure a STATIC Response Attribute with Header Name as "Access-Control-Allow-Origin" and value as "https://***.***.com".

     

    B]. If it is a field that is populated somehow in the UserDirectory, then we could use a USER Response Attribute with Header Name as "Access-Control-Allow-Origin" and value as the "AttributeName in UserDirectory" which store this value.

     

    C]. If we would like to generate this on the fly, then we'd need to write a Custom AGP.

     

     

    Regards

     

    Hubert



  • 5.  Re: SAML SP Post HTTP Headers

    Posted 04-02-2015 12:08 PM

    Could I seek your confirmation again, does it need to be in HTTP Header of http request stream (i.e. http traffic) OR within the SAML Assertion (Attributes)? If it is the former, then I don't think it could be done (nor does it fall under SAML Message exchange specs). If it is latter, then the 3 options are listed above.



  • 6.  Re: SAML SP Post HTTP Headers

    Posted 04-06-2015 09:51 AM

    Hi Hubert,

     

    Thank you for the feedback. For this particular service provider it needs to be a http header of the http request stream. I have been suspecting that this is not something that is possible.

     

    One option that I am thinking of is actually protecting the Service Provider URL https://app1.saasapp.com/app1* with SiteMinder and proxy the request via SiteMinder SPS and therefore inserting the http header that way.

     

    Kind regards,

    Bjorn



  • 7.  Re: SAML SP Post HTTP Headers

    Posted 04-06-2015 10:04 AM

    Thank You Bjorn Bjorn_Gluck

     

    Yes that is one possible way to do it via SPS and inject the header in the http stream.

     

    The one thing that needs to be decided (taken care) in "Protecting the Service Provider via SPS" is that do we want the complete SP Traffic to be routed via SPS (additional traffic burden on IdP Side) or just the first / initial request (Is there a loophole, if for some reason we miss the first request via SPS what would happen)?

     

    Typically in a federated solution there is direct browser communication i.e. Browser <> IdP and Browser <> SP. In this case it would look as Browser <> IdP (SPS) <> SP.

     

     

    Regards

     

    Hubert