SAML 2.0 IDP running SiteMinder v12.52 needs to send additional attributes which are not contained in the user store. I've come up with two possible ways to handle this... Wanted to see if others had comments on these two methods relative to their level of effort to implement/support, or other possible solutions.
--- Method #1Write an Assertion Generator Plugin (AGP) which makes a REST call to retrieve the additional attribute values, then inject them into the assertion.
--- Method #2
Send the user to an intermediate protected resource which uses the session store. Store the arbitrary data in the session store. When the inter-site transfer link is clicked, pull the arbitrary data from the session store and insert into the assertion.Thoughts?
Both methods may work but you would have to write custom code. I would hardly advise you to get in touch with CA Services and they will advise you in terms of architecture and design. This not an out of the box functionality.
Hope it helps,
which route did you implement ?
Method-1: AGP was written to make a rest call to obtain the data, then insert into the assertion.
IDENTITY_MAP can be implemented as well which seems to be a feature from v12.5 but not very much exposed.