When IDP generates the SAML assertion with a set of attributes we would like to send the same attributes in different HTTP Request Headers.

Document ID : KB000010288
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Looking to implement a solution where i we have an SAML2 SP(local)->SAML2 IDP(remote) partnership created. Now when IDP generates the SAML assertion with a set of attributes we would like to send the same attributes in different HTTP Request Headers.

Product documentation:

https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/application-integration.html#o1904894

I was able to implement the above using the instructions mentioned, but when we change the redirect move to HTTP Header then i don't seem to receive any headers from the SAML assertion . But strangely when we change the redirect mode to Cookie then we could see the parameters sent in assertion set as HTTP Cookie variable.

Is there something missing regarding the configuration for HTTP Header? 


1) Navigate to web_agent_home/conf and modify the WebAgent.conf file. Uncomment the following entry so it appears as follows: LoadPlugin="path/SAMLDataPlugin.so"

2)Do one of the following tasks in the Application Integration step of the partnership wizard:
Select HTTP Headers as the Redirect Mode for the target application. 

Background:

Check if additional attributes are passed as indicated in the guide:

The following additional values are passed as headers:

NAMEID
FORMAT
AUTHNCONTEXT

https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?1904894.html

Look for these attributes in the header dump as below:

HTTP_AUTHNCONTEXT urn:oasis:names:tc:SAML:2.0:ac:classes:Password
HTTP_FORMAT urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
HTTP_NAMEID Robm 

Instructions:

If you want to include additional attributes, you will have to modify the Partnership on the IDP and add the attributes you would like to be sent to the agent:

For example:

=> Screenshot of Partneership -> Assertion Configuration -> Assertion Attributes 

 

In the above, I have included an assertion attribute(lname) of type user attribute and gave it a value of LastName.

 

The result is that, this assertion attribute is sent to the client as below: 

HTTP_AUTHNCONTEXT urn:oasis:names:tc:SAML:2.0:ac:classes:Password

HTTP_FORMAT urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

HTTP_NAMEID Robm

HTTP_LNAME Moore

Additional Information:

More information on this topic could be found on the following community thread :

 

https://communities.ca.com/message/241955966