Symantec Access Management

 View Only
  • 1.  saml asserting party assertion with multi-valued attribute syntax

    Posted Mar 31, 2015 01:08 PM

    I am looking for examples of the WAMUI Federation Manager to code a custom AP assertion attribute which contains a list as a multi-valued attribute. A RP requests a list of application roles included in the asserting assertion to authorize a user on the SaaS application. Is the solution only possible using the AGP plugin on the Policy Server?



  • 2.  Re: saml asserting party assertion with multi-valued attribute syntax

    Broadcom Employee
    Posted Apr 01, 2015 03:10 AM

    Hi Enrique,

     

    You might find sample in siteminder SDK in

     

    SAML2AssertionSample.java

    AssertionSample.java

     

    where there is code to show how to list Assertion Attributes

    and also how to "Change attributes from SM:NVpair to saml:Attribute"

    and "add new attributes from UserContext".

     

    Hope that helps,

     

    Patrick



  • 3.  Re: saml asserting party assertion with multi-valued attribute syntax

    Posted Apr 01, 2015 11:25 AM

    Patrick,

     

    Thanks for the suggestion. I was looking for a solution not based on developing a custom assertion generator plugin (AGP) to add the “list of roles” required for the SP. I may need to suggest this approach if the source of the “list of roles” is not located in a SM User Store.

     

    Take care.

     

    Enrique Torres

    Sr Principal Services Architect

     

    CA Technologies | 5465 Legacy Drive Suite 700 | Plano, TX 75024-3106

    Office: +1 214 473 1702 | Mobile: +1 915 204 7107 | Enrique.Torres@ca.com

    <mailto:Enrique.Torres@ca.com>OOO Alert – April 15th through April 24th



  • 4.  Re: saml asserting party assertion with multi-valued attribute syntax

    Posted Apr 01, 2015 10:25 AM

    Enrique

     

    Just curious if this resolves your problem rather than having to write a Custom AGP.

     

    For multivalued attributes, prefix FMATTR:

    Example: (multivalued attributes) FMATTR:SM_USERGROUPS

     

    Before Applying :

    If we set the response without FMATTR [role=<%userattr="SM_USERGROUPS"%>. The policy server returns all groups the user is mapped too in a single string separated with ^.

    Example : Group1^Group2^Group3^Group4.

     

     

    After Applying:

    In the XML Document the values of the role attribute should be in different tags.

    <ns1:Attribute AttributeName="role" AttributeNamespace="http://schemas.xmlsoap.org/claims">

        <ns1:AttributeValue>Group1</ns1:AttributeValue>

        <ns1:AttributeValue>Group2</ns1:AttributeValue>

        <ns1:AttributeValue>Group3</ns1:AttributeValue>

     

     

     

    Regards

     

    Hubert



  • 5.  Re: saml asserting party assertion with multi-valued attribute syntax

    Posted Apr 01, 2015 11:27 AM

    Hubert,

     

    The FMATTR syntax is what I could not find in the SiteMinder Federation documentation. I may have searched using an incorrect string. Using FMATTTR as shown would be the preferred approach over using a custom AGP; but the question on the query to use (LDAP or ODBC) is up to the customer. I will follow up later with a viable solution.

     

    Thanks.

     

    Enrique Torres

    Sr Principal Services Architect

     

    CA Technologies | 5465 Legacy Drive Suite 700 | Plano, TX 75024-3106

    Office: +1 214 473 1702 | Mobile: +1 915 204 7107 | Enrique.Torres@ca.com

    <mailto:Enrique.Torres@ca.com>OOO Alert – April 15th through April 24th



  • 6.  Re: saml asserting party assertion with multi-valued attribute syntax

    Posted Apr 01, 2015 07:58 PM

    Enrique

     

    You are searching the correct syntax. I too just figure out that none of the FSS Guide speak about this parameter. However my closeness to working with SharePoint solution, I made sure it was tested and documented there. This is a snippet from SharePoint 2010 Guide.

     

    Capture.JPG

     

     

    Regards

     

    Hubert



  • 7.  Re: saml asserting party assertion with multi-valued attribute syntax

    Posted Jan 18, 2017 06:04 AM

    Hi Enrique,

     

    Please let me know if you were able to find viable solution for your question. As I have to implement same thing for SSO federation. In my case, I  have member roles in AD (Active directory) and I have to filter roles for one application & send as comma separated values in SAML response. Also, we store roles in database as well so if there is any option to fetch roles from database. 

     

    Thanks for looking into this.

    Sima



  • 8.  Re: saml asserting party assertion with multi-valued attribute syntax

    Posted Jan 18, 2017 08:48 AM

    Sima,

     

    The solution which gives the most control over sources of data (ldap or sql) and format of the required assertion is a custom assertion generator plugin (AGP). I'm sure you've seen the two replies which pointed to using OOTB federation features instead of the AGP. I did not, however, develop a solution in a lab to provide as a viable example.

     

    Enrique