Layer7 Access Management

TechTip: When IDP generates the SAML assertion with a set of attributes we would like to send the same attributes in different HTTP Request Headers.

  • 1.  TechTip: When IDP generates the SAML assertion with a set of attributes we would like to send the same attributes in different HTTP Request Headers.

    Posted 04-12-2017 04:20 AM

    Introduction

    Looking to implement a solution where i we have an SAML2 SP(local)->SAML2 IDP(remote) partnership created. Now when IDP generates the SAML assertion with a set of attributes we would like to send the same attributes in different HTTP Request Headers.

     

    Product documentation:

    https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/application-integration.html#o1904894

     

    I was able to implement the above using the instructions mentioned, but when we change the redirect move to HTTP Header then i don't seem to receive any headers from the SAML assertion . But strangely when we change the redirect mode to Cookie then we could see the parameters sent in assertion set as HTTP Cookie variable.

     

    Is there something missing regarding the configuration for HTTP Header? 


    1) Navigate to web_agent_home/conf and modify the WebAgent.conf file. Uncomment the following entry so it appears as follows: LoadPlugin="path/SAMLDataPlugin.so"

    2)Do one of the following tasks in the Application Integration step of the partnership wizard:
    Select HTTP Headers as the Redirect Mode for the target application. 

    Background

    Check if additional attributes are passed as indicated in the guide:

     

    The following additional values are passed as headers:

     

    NAMEID
    FORMAT
    AUTHNCONTEXT

     

    https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?1904894.html

     

    Look for these attributes in the header dump as below:

     

    HTTP_AUTHNCONTEXT urn:oasis:names:tc:SAML:2.0:ac:classes:Password
    HTTP_FORMAT urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    HTTP_NAMEID Robm 

    Instructions

    If you want to include additional attributes, you will have to modify the Partnership on the IDP and add the attributes you would like to be sent to the agent:

     

    For example:

     

    => Screenshot of Partneership -> Assertion Configuration -> Assertion Attributes 

     

    In the above, I have included an assertion attribute(lname) of type user attribute and gave it a value of LastName.

     

    The result is that, this assertion attribute is sent to the client as below: 

    HTTP_AUTHNCONTEXT urn:oasis:names:tc:SAML:2.0:ac:classes:Password

    HTTP_FORMAT urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

    HTTP_NAMEID Robm

    HTTP_LNAME Moore

    Additional Information

    More information on this topic could be found on the following community thread :

     

    https://communities.ca.com/message/241955966

     

    KD : TEC1606775