Symantec Access Management

 View Only
  • 1.  Customize assertion attributes SAML2.0

    Posted Dec 06, 2016 08:41 AM

    Que 1 - I am configuring IDP->SP federation partnership on on CA Site Minder WAM UI; both work on SAML2.0 SSO. SP expects few attributes in assertion which can not be passed plain i.e. there is no direct mapping from user attribute. Such attributes are Full Name e.g. John Doe, Role Name should be formatted to get RoleName from AppName-RoleName. Please let me know how these attributes can be passed in assertion.

    Que 2 - Also, is there any way to get user profile attributes from database to pass in assertion in CA SiteMinder WAM UI. 

    Appreciate your response. Thanks.

  • 2.  Re: Customize assertion attributes SAML2.0

    Posted Dec 06, 2016 02:13 PM



    You should use either JUEL or custom plugin to create custom attributes. Since role is multivalue it is bit complicated to achieve by using JUEL. Where as for full name it is simple, and i have used the following expression


    Assertion Attributes section from partnership--------->

    Assertion Attribute: Attribute name that SP is expecting for full name (ex:FullName)

    Retrieval method: SSO

    Format: Unspecified or other (based on requirement)

    Type: Expression

    Value: #{attr["givenname"]} {#attr["sn"]} (Given Name is first name and "sn" is last name in my case. Play with that bit to add any additional characters like comma or period in between.


    Hope this helps some part of your problem.




  • 3.  Re: Customize assertion attributes SAML2.0

    Posted Dec 07, 2016 01:36 AM

    Thanks a lot for quick response. This helped me to solve one of the issues.

    Also, do you have any insight on if we can pass attributes from database in assertion attribute or AD is the only way to map attributes.

    Thanks for looking into this.

  • 4.  Re: Customize assertion attributes SAML2.0

  • 5.  Re: Customize assertion attributes SAML2.0

    Posted Dec 07, 2016 01:52 AM

    Thanks a ton for the threads you have provided.

    Also, if you could please throw some light on how database value can be mapped to assertion attribute. Like RoleName is not stored in AD, need to fetch it from database & map to assertion attribute after some formatting as well.  

    Thank you so much for your help.

  • 6.  Re: Customize assertion attributes SAML2.0
    Best Answer

    Posted Dec 07, 2016 10:14 AM

    You can create an Attribute Mapping on the User Directory and retrieve the value from Database and filter it accordingly.

    For ex: Here I'm filtering with "Domain user" key word, So if the RoleName is having "Domain User" then it will return the value. you would need to add this Attribute name in Partnership under Assertion Attributes.






  • 7.  Re: Customize assertion attributes SAML2.0

    Posted Dec 08, 2016 05:29 AM

    Thanks Sharan for the response. Can you please let me know how did you make connection to the database. Like in my case, I need to connect to to SQL server database & fetch RoleNames from a table. And you used GET() method, is it predefined?

    Thanks a lot for taking out time to response.

  • 8.  Re: Customize assertion attributes SAML2.0

    Posted Dec 08, 2016 08:22 AM

    This is the user directory (Database) used for Partnership or something else being used?


    If it is different user directory and you want to add the attributes from that database to the Assertion then you would need to write custom AGP (Assertion generator Plugin)  and make use of Web services for getting the attributes from other user directories other than which is added to the partnership.