CA Dynamic Assertion Generator Plug-In

Document created by odojo03 Employee on Oct 30, 2017
Version 1Show Document
  • View in full screen mode

The Dynamic Assertion Generator Plug-In is a JAVA plug-in to CA Single Sign-on (AKA SiteMinder) which allows applications to pass addition user information to CA-SSO as part of the query string of an inter-site transfer link. The additional user information will be used to modify the SAML Assertion being generated. The modification happens on the CA-SSO Policy Server just prior to the signature and encryption step. The information being added to the assertion generator plug-in must be encrypted using AES encryption and a shared key. This is done to ensure that the addition user data does indeed originate from a trusted application.

This module can have multiple instances running in a CA-SSO environment, each with their own configuration and shared key. This allows different partnerships to utilize this component as needed.


The Dynamic-AGP can perform three different function when generating SAML Assertions. The features are:

  • Security Check - Perform optional security check against a field in the user record. This links the URL Query parameter to a specific user, so it cannot be used to modify a different SAML Assertion.
  • Add SAML Attributes - Add Attributes to the SAML Assertion (zero to many Attributes)
  • Change NameID - Replace the value of the NameID Element of the SAML Assertion (for example: use email instead of uid)
1 person found this helpful