Layer 7 API Management

Expand all | Collapse all

SAML v2: How to include the SessionIndex attribute as part of the <saml2:AuthnStatement> element in the AuthnResponse ?

Jump to Best Answer
  • 1.  SAML v2: How to include the SessionIndex attribute as part of the <saml2:AuthnStatement> element in the AuthnResponse ?

    Posted 10-28-2015 05:33 AM

    Hello all,

     

    I am building the necessary policies for a (SAMLv2) STS for WebSSO using some example policies I got from CA support.

     

    Question:

    1. How can I include the SessionIndex attribute as part of the <saml2:AuthnStatement> element in the AuthnResponse ?

     

    According to saml-profiles-2.0-os (Profiles for the OASIS Security Assertion Markup Language V2.0 OASIS Standard, 15 March 2005), Section 4.1.4 Use of Authentication Request Protocol, subsection 4.1.4.2 <Response> Usage:

    ". At least one assertion containing an <AuthnStatement> MUST contain a <Subject> element with at least one <SubjectConfirmation> element containing a Method of urn:oasis:names:tc:SAML:2.0:cm:bearer. If the identity provider supports the Single Logout profile, defined in Section 4.4, any such authentication statements MUST include a SessionIndex attribute to enable per-session logout requests by the service provider."

     

    In either the "Create SAML Token Assertion" or the "Build SAML Protocol Response Assertion" I cannot locate a SessionIndex attribute !

     

    CA Technical support replies:

    "This option is not available via these SAML assertions, however there is a Feature Request SSG-10959 opened. When searching for any possible alternative solutions, I've found references in other cases where customers have been able to add the SessionIndex element could via the 'Evaluate Request XPath and XSL transformation' assertions followed by manually signing the token."

     

    Unfortunately CA Technical support is not willing to share customer names who have created a workaround !

    Can someone please help me to include the SessionIndex attribute to the AuthnResponse ?

     

    Kind regards,

     

    Alex Heijdenrijk



  • 2.  Re: SAML v2: How to include the SessionIndex attribute as part of the <saml2:AuthnStatement> element in the AuthnResponse ?
    Best Answer

    Posted 11-05-2015 09:22 AM

    If you need to accomplish this then you will need to use the process prescribed. I apologize that we're not able to share customer information but I am not sure that will help you build a workaround. The information provided by CA Support is the workaround and hopefully I can expand upon it

    1. Create the token but do not sign it
    2. Use the Set Context Variable assertion to create the SessionIndex attribute.
    3. Add the attribute using an Evaluate Regular Expression assertion
    4. Sign the token using the (Non-SOAP) Sign Element assertion

    This can be done for any custom property that our Create SAML Token assertion is not using at this time.