I am building the necessary policies for a (SAMLv2) STS for WebSSO using some example policies I got from CA support.
According to saml-profiles-2.0-os (Profiles for the OASIS Security Assertion Markup Language V2.0 OASIS Standard, 15 March 2005), Section 4.1.4 Use of Authentication Request Protocol, subsection 220.127.116.11 <Response> Usage:
". At least one assertion containing an <AuthnStatement> MUST contain a <Subject> element with at least one <SubjectConfirmation> element containing a Method of urn:oasis:names:tc:SAML:2.0:cm:bearer. If the identity provider supports the Single Logout profile, defined in Section 4.4, any such authentication statements MUST include a SessionIndex attribute to enable per-session logout requests by the service provider."
In either the "Create SAML Token Assertion" or the "Build SAML Protocol Response Assertion" I cannot locate a SessionIndex attribute !
CA Technical support replies:
"This option is not available via these SAML assertions, however there is a Feature Request SSG-10959 opened. When searching for any possible alternative solutions, I've found references in other cases where customers have been able to add the SessionIndex element could via the 'Evaluate Request XPath and XSL transformation' assertions followed by manually signing the token."
Unfortunately CA Technical support is not willing to share customer names who have created a workaround !
Can someone please help me to include the SessionIndex attribute to the AuthnResponse ?
If you need to accomplish this then you will need to use the process prescribed. I apologize that we're not able to share customer information but I am not sure that will help you build a workaround. The information provided by CA Support is the workaround and hopefully I can expand upon it
This can be done for any custom property that our Create SAML Token assertion is not using at this time.