In a IDP-SP partnership, CA SiteMinder is acting as an IDP.
SP has requested to send a custom attribute with the name 'uid' in the SAML assertion.
IDP's authorizing user directory is ODBC, with one of the user attribute as 'company_id'.
How to send this custom attribute using out of the box feature of SiteMinder ?
Where can we define/configure this custom attribute 'uid' so that it corresponds to the 'company_id' and sends the same value (stored as 'company_id' in the ODBC) as just the name 'uid' in the assertion ?
You can use expressions to modify the id that is sent. Is the ID in company_id = uid?
Sent from my iPhone
Yes, the value stored in as 'company_id' should be sent as 'uid' in SAML assertion,
Where, uid as a attribute has no existence in the authorizing user directory.
I was trying to get clarity if the ID portion of company_id is the same as the UID, so company_uid needs to just become uid?
Here are sample expressions.
email@example.com - (BEFORE(AFTER(userprincipalname,'@'),'.')+"-"+uid) becomes region-username firstname.lastname@example.org - UCASE(BEFORE(AFTER(userprincipalname,'@'),'.')+"\"+samaccountname) becomes REGION\SAMACCOUNTNAMEsAmAccountName - (samaccountname+"_co") - becomes samaccountname_co
Here is a link to a comment where I provide some more detailed instructions. You would use the AFTER operator to strip out the ID from company_id.
We were able to achieve this by defining the 'Assertion Attributes' option while creating a Partnership Federation via AdminUI.
We defined 'uid' (the custom assertion name requested by SP) under 'Assertion Attributes' with the 'Value' as 'company_id'. (In the Directory section, the SQL query scheme is defined to get the value from ODBC for company_id).