AnsweredAssumed Answered

SAML v2: How to include the SessionIndex attribute as part of the <saml2:AuthnStatement> element in the AuthnResponse ?

Question asked by alex.heijdenrijk on Oct 28, 2015
Latest reply on Nov 5, 2015 by goeer03

Hello all,

 

I am building the necessary policies for a (SAMLv2) STS for WebSSO using some example policies I got from CA support.

 

Question:

  1. How can I include the SessionIndex attribute as part of the <saml2:AuthnStatement> element in the AuthnResponse ?

 

According to saml-profiles-2.0-os (Profiles for the OASIS Security Assertion Markup Language V2.0 OASIS Standard, 15 March 2005), Section 4.1.4 Use of Authentication Request Protocol, subsection 4.1.4.2 <Response> Usage:

". At least one assertion containing an <AuthnStatement> MUST contain a <Subject> element with at least one <SubjectConfirmation> element containing a Method of urn:oasis:names:tc:SAML:2.0:cm:bearer. If the identity provider supports the Single Logout profile, defined in Section 4.4, any such authentication statements MUST include a SessionIndex attribute to enable per-session logout requests by the service provider."

 

In either the "Create SAML Token Assertion" or the "Build SAML Protocol Response Assertion" I cannot locate a SessionIndex attribute !

 

CA Technical support replies:

"This option is not available via these SAML assertions, however there is a Feature Request SSG-10959 opened. When searching for any possible alternative solutions, I've found references in other cases where customers have been able to add the SessionIndex element could via the 'Evaluate Request XPath and XSL transformation' assertions followed by manually signing the token."

 

Unfortunately CA Technical support is not willing to share customer names who have created a workaround !

Can someone please help me to include the SessionIndex attribute to the AuthnResponse ?

 

Kind regards,

 

Alex Heijdenrijk

Outcomes