SAML Assertion plugin – Moving CA SSO protected applications to the Cloud

File uploaded by masfr02 Employee on Oct 27, 2017
Version 1Show Document
  • View in full screen mode

SAML Assertion plugin – Moving CA SSO protected applications to the Cloud




The specific issue for the customer occurs when he tried to move some applications, historically managed on premise, on the cloud.

The applications were managed inside a portal, protected by CA SSO, and the authorization process is mainly managed by header variables provided by CA SSO. The header variable are retrieved by CA SSO from a dedicate Authorization user store, which does not contain credentials but just the user properties containing roles and groups.

CA SSO retrieves this information using the Identity Mapping feature.

The easiest approach used by the developers for moving the applications on the cloud, was:

  • The authentication is executed on premise using CA SSO as IdP
  • The applications are stored in cloud as SP
  • The SAML token used for authentication should contain, as attributes, the same parameters passed in the past as header variables
  • The applications get the attributes from SAML and manage the authorization process


For the developers’ point of view, the flow is correct but CA SSO does not support Identity mapping in the IdP authentication side.

Logically the CA SSO approach is correct, the IdP has the duty of authenticating the users and NOT getting the authorization attributes.


Possible solutions


We analyzed different solution for managing this issue:

  • Virtual directory - Implementing a virtual directory able to reproduce the Identity mapping feature and acting as a unique LDAP server, solve the problem defining a unique authentication (and authorization) user store
  • Session store – Another option is to store the authorization attributes in the session store, using a preceding authorization process. Unfortunately, it requires a store which should be accessible by all the Policy Server and continuously in synch.
  • SAML Assertion plugin – develop an assertion plugin class able to add the SAML attributes and retrieving these attributes from other stores.


The last approach was accepted and to provide a more standard interface the authorization attributes should be retrieved calling an external service (using REST/JSON interface) in our case published on the CA API Gateway.

(get the source and the binaries from: )