Layer 7 Access Management

Expand all | Collapse all

Custom Attribute requested by SP to be sent in a SAML Assertion

  • 1.  Custom Attribute requested by SP to be sent in a SAML Assertion

    Posted 04-11-2017 01:05 PM

    Hello all,

    In a IDP-SP partnership, CA SiteMinder is acting as an IDP.

    SP has requested to send a custom attribute with the name 'uid' in the SAML assertion.

    IDP's authorizing user directory is ODBC, with one of the user attribute as 'company_id'.

    How to send this custom attribute using out of the box feature of SiteMinder ?

    Where can we define/configure this custom attribute 'uid' so that it corresponds to the 'company_id' and sends the same value (stored as 'company_id' in the ODBC) as just the name 'uid' in the assertion ?



  • 2.  Re: Custom Attribute requested by SP to be sent in a SAML Assertion

     
    Posted 04-11-2017 01:20 PM

    You can use expressions to modify the id that is sent.  Is the ID in company_id = uid?

     

    Sent from my iPhone



  • 3.  Re: Custom Attribute requested by SP to be sent in a SAML Assertion

    Posted 04-11-2017 01:47 PM

    Yes, the value stored in as 'company_id' should be sent as 'uid' in SAML assertion,

    Where, uid as a attribute has no existence in the authorizing user directory.



  • 4.  Re: Custom Attribute requested by SP to be sent in a SAML Assertion

     
    Posted 04-11-2017 02:19 PM

    I was trying to get clarity if the ID portion of company_id is the same as the UID, so company_uid needs to just become uid?

    Here are sample expressions.

    username@region.company.com - (BEFORE(AFTER(userprincipalname,'@'),'.')+"-"+uid) becomes region-username
    username@region.company.com - UCASE(BEFORE(AFTER(userprincipalname,'@'),'.')+"\"+samaccountname) becomes REGION\SAMACCOUNTNAME
    sAmAccountName - (samaccountname+"_co") - becomes samaccountname_co

     

    Here is a link to a comment where I provide some more detailed instructions.  You would use the AFTER operator to strip out the ID from company_id.



  • 5.  Re: Custom Attribute requested by SP to be sent in a SAML Assertion

    Posted 04-12-2017 06:19 AM

    We were able to achieve this by defining the 'Assertion Attributes' option while creating a Partnership Federation via AdminUI.

    We defined  'uid' (the custom assertion name requested by SP) under 'Assertion Attributes' with the 'Value' as 'company_id'. (In the Directory section, the SQL query scheme is defined to get the value from ODBC for company_id).