Symantec SiteMinder

 View Only

Tech Tip - CA Single Sign-On: Name Identification for assertion

By wonsa03 posted Aug 02, 2016 06:25 PM

  

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 3rd August 2016

 

Introduction:

The Name ID attribute, a required assertion attribute, identifies a user in a unique way. The Name ID format indicates the identifier type that the federated partners support. The Name ID type specifies the user profile attribute that is associated with the name ID format. The user profile attributes come from a user store or the session store.

At the relying party, the partner must be able to locate a user in the local user directory. Locating the user in the user directory is the process of disambiguation. Configure the identity attribute for user disambiguation in the User Identification dialog.

The Policy Server can use one of the following methods for the disambiguation process:

  • Extract the Name ID value from the assertion.
  • Use the value of a specific attribute from the assertion.
  • Use the value that the Xpath query obtains.The Xpath query locates and extracts an attribute other than the Name ID from the assertion.

After you determine which attribute is extracted from the assertion, include this attribute in a search specification. After a successful disambiguation process, the Policy Server generates a session for the user.

Question:

How to nominate preferred attribute as Name Identifier/Name ID in the assertion?

Environment:

Applies to all Federation Gateway : Webagent Option Pack, Secure Proxy Server and Federation Manager.

Answer:

For Partnership Federation, Identity Provider can specify their preferred attribute as Name Identifier. Partnerships >> Assertion ConfigurationPartnershipFor Legacy Federation, Name Identifier is fixated:

  • ODBC user store -- Name attribute
  • LDAP user store -- User DN attribute

The additional attribute is included under <SM: SMprofile> tag. Use XPath query to locate and extract an attribute other than the Name ID from the assertion for disambiguation process.

Legacy

0 comments
1 view