Symantec Access Management

Expand all | Collapse all

Attributes Send to SP in SAML Assertion also need to be sent as HTTP Header Variables

  • 1.  Attributes Send to SP in SAML Assertion also need to be sent as HTTP Header Variables

    Posted Jan 23, 2017 10:57 AM

    Hello All,

     

    I am looking to implement a solution where i we have an SAML2 SP(local)->SAML2 IDP(remote) partnership created. Now when IDP generates the SAML assertion with a set of attributes we would like to send the same attributes in different HTTP Request Headers.

     

    Can you suggest how can i implement this solution where i receive the SAML Assertion with attributes and attributes in HTTP Headers.My system hosts local SP and we are connecting to remote IDP.

     

    Thanks

    Ankur Taneja



  • 2.  Re: Attributes Send to SP in SAML Assertion also need to be sent as HTTP Header Variables

    Posted Jan 23, 2017 11:51 AM

    Hi Ankur,

     

    For a SAML entity, the Policy Server can use HTTP headers to pass identity attributes from an assertion to a back-end application. A backend application can be a target application for single sign-on or a user provisioning application. The system passes these headers in an encrypted cookie.

    The headers have the same name as the assertion attributes. For example, if the assertion attribute is "address", the application looks for the HTTP header "ADDRESS".

    Assertion attributes are case-sensitive, but HTTP headers are not. The Policy Server cannot pass the same attributes that differ only by case sensitivity and then map them to HTTP headers. For example, the system cannot pass "address" and "Address" as headers at the same time. In general, do not use the attributes with the same names that are only different because of case sensitivity or format.

    Please follow below steps:

    1.Select Redirect Mode as HTTP Headers in Application Integration.
    2.Follow these steps:
    Verify that the CA SiteMinder® web agent is installed on the relying party system that is handling federation traffic.
    Navigate to web_agent_home/conf and modify the WebAgent.conf file. Uncomment the following entry so it appears as follows:
    Windows
    LoadPlugin="path\SAMLDataPlugin.dll"

    UNIX
    LoadPlugin="path/SAMLDataPlugin.so"

    (Optional but recommended) Add the setting fedheaderprefix setting to the appropriate Agent Configuration Object for the web agent. Enter any string as a prefix.
    The fedheaderprefix setting specifies a global prefix that CA SiteMinder® adds to HTTP headers. Setting a prefix protects HTTP headers against manipulation by an unauthorized user before the CA SiteMinder® consumes an assertion. As a result, only legitimate headers get passed to the target application. Read more about protecting HTTP headers.

    Do one of the following tasks in the Application Integration step of the partnership wizard:
    Select HTTP Headers as the Redirect Mode for the target application.
    Select HTTP Headers as the Delivery Option for user provisioning.
    HTTP headers are now configured to pass attribute data.

    Please refer below link for more details.
    https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/application-integration.html#o1904894

     

    Thanks,

    Sharan



  • 3.  Re: Attributes Send to SP in SAML Assertion also need to be sent as HTTP Header Variables

    Posted Jan 23, 2017 12:37 PM

    Hello Sharan,

     

    Thank you for the reply, but i have few questions.

    - I have set the Redirect Mode to HTTP Headers under Application Integration (tab) -> Target Application.

    - If you select HTTP Headers as the redirect mode, CA SiteMinder® can deliver multiple attribute values in a single header. Separate each attribute value with a comma . How can i do that? where i can separate with a comma?

    - do not use the attributes with the same names that are only different because of case sensitivity or format , where i define the http headers that would be sent?

    - Couldn't find LoadPlugin="path/SAMLDataPlugin.so" in WebAgent.conf file, should i add a new entry?

    - Do one of the following tasks in the Application Integration step of the partnership wizard:

    • Select HTTP Headers as the Redirect Mode for the target application. (Done that as mentioned in 1st point)
    • Select HTTP Headers as the Delivery Option for user provisioning.(where i need to configure this?)

     

    Thank you

    Ankur



  • 4.  Re: Attributes Send to SP in SAML Assertion also need to be sent as HTTP Header Variables

    Posted Jan 24, 2017 05:19 AM

    Hi Ankur,

     

    Please do the following.

    1) Select HTTP Headers as the Redirect Mode for the target application.
    2) By default SAMLDataPlugin.so will be present in WebAgent.conf and it will be commented. You just need to Uncomment it (Please check under webagent machine).
    3) Restart both agent and option pack.

    If you select HTTP Headers as the redirect mode, CA SiteMinder® can deliver multiple attribute values in a single header. Separate each attribute value with a comma .
    How can i do that? where i can separate with a comma? --> SAMLDataPlugin will take care of this, you dont have to do anything.
    do not use the attributes with the same names that are only different because of case sensitivity or format , where i define the http headers that would be sent? --> The headers have the same name as the assertion attributes.

     

    Thanks,

    Sharan



  • 5.  Re: Attributes Send to SP in SAML Assertion also need to be sent as HTTP Header Variables

    Posted Jan 24, 2017 06:54 PM

    Also, there is an option to manipulate the AssertionAttributes such as change the HTTP header name, merge attributes values like firstname and surname to a fullname and etc.

    Then they can be passed on to the application as a cookie or headers.

     

    Mapping Assertion Attributes to Application Attributes (SAML only) 



  • 6.  Re: Attributes Send to SP in SAML Assertion also need to be sent as HTTP Header Variables

    Posted Jan 26, 2017 09:48 AM

    Things to take into consideration from E2E Design Perspective. Configuration is one side of the coin, Designing it strategically is the other side.

     

    Know How : SMSAMLDATA Plugin and SM_ Headers 

     

    Know Why : HTTP Header Redirect Mode OR Persist Variables??? 

     

     

    Regards

    Hubert



  • 7.  Re: Attributes Send to SP in SAML Assertion also need to be sent as HTTP Header Variables

    Posted Jan 31, 2017 07:46 PM

    Some samples to go with it

     

    Step by Step: Facebook partnership 2 

    In the above sample, it demonstrates how the HTTP Header is set from Assertion Attributes.

    A use case for SAMLDataPlugin and "HTTP Headers" redirect mode.

    It also demonstrates using OpenFormatCookie redirect mode.

     

     

    Using Persist Attributes 

    This is a use case for using Persist Attributes(require session store).

    The use case here also demonstrates how the assertion attributes received from one federation can be passed over to the next federation partnership.

    It also demonstrates how a normal Response Headers can be set via webagent reading the persisted attributes in the session store.

    It was actually to highlight a problem where a null value attribute can cause a problem when using persist attributes.



  • 8.  Re: Attributes Send to SP in SAML Assertion also need to be sent as HTTP Header Variables

    Posted Feb 02, 2017 08:09 AM

    Hello All,

     

    Thank you for the comments.

     

    I was able to implement the above using the instructions mentioned, but i when i change the redirect move to HTTP Header then i don't seem to receive any headers from the SAML assertion . But strangely when i change the redirect mode to Cookie then i could see the parameters send in assertion set as HTTP Cookie variable.

     

    Is there something i am missing regarding the configuration for HTTP Header? i am doing the below 2 points: -

     

    1) Navigate to web_agent_home/conf and modify the WebAgent.conf file. Uncomment the following entry so it appears as follows: LoadPlugin="path/SAMLDataPlugin.so"

     

    2)Do one of the following tasks in the Application Integration step of the partnership wizard:

    • Select HTTP Headers as the Redirect Mode for the target application.

     

    Would Really appreciate your inputs!

     

    Thanks.

    Ankur Taneja



  • 9.  Re: Attributes Send to SP in SAML Assertion also need to be sent as HTTP Header Variables

    Posted Feb 02, 2017 09:03 AM

    Ankur

     

    A Header using HTTP Redirect Mode is available on the first redirect i.e. TARGET URL defined within the Partnership. Once the redirect is complete and the application starts to load the HTTP Header is lost. So it really depends on which URI / URL you are trying to read the Header. If it is not the first one then you won't find it.

     

    As for a Cookie that is set on the browser and is available as long as it is set to expire. Hence it is available on all resource until expiry.

     

    Know How : SMSAMLDATA Plugin and SM_ Headers 

     

    Know Why : HTTP Header Redirect Mode OR Persist Variables??? 

     

     

    Regards

    Hubert.



  • 10.  Re: Attributes Send to SP in SAML Assertion also need to be sent as HTTP Header Variables

    Posted Feb 06, 2017 03:31 AM

    Hello Hubert,

     

    Yes, looking at the immediate TARGET URL and could not see any Headers generated. But to surprise the Cookies generate fine and could see at immediate TARGET URL.

     

    Is my implementation mentioned above correct? or am i missing some fine detail here while configuring?

     

    Thank you again for all the comments and help till now.

     

    Thanks

    Ankur Taneja



  • 11.  Re: Attributes Send to SP in SAML Assertion also need to be sent as HTTP Header Variables

    Broadcom Employee
    Posted Feb 10, 2017 04:35 AM

    You should check if additional attributes are passed as indicated in the guide:

     

    The following additional values are passed as headers:

     

    NAMEID

    FORMAT

    AUTHNCONTEXT

     

    https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?1904894.html

     

    You should look for these attributes in the header dump as below:

     

     

    If you want to include additional attributes, you will have to modify the Partnership on the IDP and add the attributes you would like to be sent to the agent:

     

    For example:

     

     

    In the above, I have included an assertion attribute(lanme) of type user attribute and gave it a value of LastName.

     

    The result is that, this assertion attribute is sent to the client as below:

     



  • 12.  Re: Attributes Send to SP in SAML Assertion also need to be sent as HTTP Header Variables

    Posted Feb 17, 2017 01:45 AM

     Thank you all for your inputs!!

     

    I was able to successfully implement the mapping.