Symantec Access Management

Hi All,

I have a query. We integrated a SAAS provider with SAML2 HTTP Post. SiteMinder is acting as the IDP and SAAS provider as the SP (Service Provider).

The SAAS provider requires that we provide a HTTP Header value as part of the SAML Post message. Is this something that would be achievable. i.e. the user authenticates against SiteMinder SPS. On successful authentication and authorisation the user is redirected to the SAAS provider with the appropriate HTTP Header value as part of the post message.

Any suggestions would be appreciated.

Kind regards,

Bjorn

Bjorn Bjorn_Gluck

Yes it is OOB functionality.

Here is the link for Legacy Federation, The same is also true for Partnership federation.

The IdP can pass additional information about the User in the assertion as additional assertion attributes.

https://wiki.ca.com/display/sm1252sp1/%28Optional%29+Configure+Attributes+for+Assertions

Regards

Hubert

Hi Hubert,

Thank you very much for the information. I have been looking
at this, but have not been able to resolve this.

Basically once the user is authenticated by SiteMinder, the
user is redirected to the SAAS provider. The SAAS provider requires that a HTTP
Header of Access-Control-Allow-Origin: https://***.***.com<https:// ***.***.com/>
is present. Is there a way to achieve this?

Kind regards,

Bjorn

Thank You Bjorn Bjorn_Gluck

There are 3 options we have here.

A]. If this is a static value for all User (i.e. remain same for all user) then we could configure a STATIC Response Attribute with Header Name as "Access-Control-Allow-Origin" and value as "https://***.***.com".

B]. If it is a field that is populated somehow in the UserDirectory, then we could use a USER Response Attribute with Header Name as "Access-Control-Allow-Origin" and value as the "AttributeName in UserDirectory" which store this value.

C]. If we would like to generate this on the fly, then we'd need to write a Custom AGP.

Regards

Hubert

Could I seek your confirmation again, does it need to be in HTTP Header of http request stream (i.e. http traffic) OR within the SAML Assertion (Attributes)? If it is the former, then I don't think it could be done (nor does it fall under SAML Message exchange specs). If it is latter, then the 3 options are listed above.

Hi Hubert,

Thank you for the feedback. For this particular service provider it needs to be a http header of the http request stream. I have been suspecting that this is not something that is possible.

One option that I am thinking of is actually protecting the Service Provider URL https://app1.saasapp.com/app1* with SiteMinder and proxy the request via SiteMinder SPS and therefore inserting the http header that way.

Kind regards,

Bjorn

Thank You Bjorn Bjorn_Gluck

Yes that is one possible way to do it via SPS and inject the header in the http stream.

The one thing that needs to be decided (taken care) in "Protecting the Service Provider via SPS" is that do we want the complete SP Traffic to be routed via SPS (additional traffic burden on IdP Side) or just the first / initial request (Is there a loophole, if for some reason we miss the first request via SPS what would happen)?

Typically in a federated solution there is direct browser communication i.e. Browser <> IdP and Browser <> SP. In this case it would look as Browser <> IdP (SPS) <> SP.

Regards

Hubert