Symantec Access Management

  • Private Community

  • 1.  SAML - Add additional attributes (not in userstore)

    Posted Jan 13, 2017 03:53 PM

    SAML 2.0 IDP running SiteMinder v12.52 needs to send additional attributes which are not contained in the user store.  I've come up with two possible ways to handle this...   Wanted to see if others had comments on these two methods relative to their level of effort to implement/support, or other possible solutions.

     

    --- Method #1
    Write an Assertion Generator Plugin (AGP) which makes a REST call to retrieve the additional attribute values, then inject them into the assertion.

     

    --- Method #2

    Send the user to an intermediate protected resource which uses the session store.  Store the arbitrary data in the session store.   When the inter-site transfer link is clicked, pull the arbitrary data from the session store and insert into the assertion.

    Thoughts?

     

    -J



  • 2.  Re: SAML - Add additional attributes (not in userstore)

    Posted Jan 16, 2017 06:51 AM

    Hello Jeff,

     

    Both methods may work but you would have to write custom code. I would hardly advise you to get in touch with CA Services and they will advise you in terms of architecture and design. This not an out of the box functionality.

     

    Hope it helps,

    Julien.



  • 3.  Re: SAML - Add additional attributes (not in userstore)

    Posted Mar 26, 2018 09:45 PM

    Jeff,

        which route did you implement ?



  • 4.  Re: SAML - Add additional attributes (not in userstore)

    Posted Mar 27, 2018 11:16 AM

    Method-1:  AGP was written to make a rest call to obtain the data, then insert into the assertion.



  • 5.  Re: SAML - Add additional attributes (not in userstore)

    Posted May 31, 2018 12:11 AM

    IDENTITY_MAP can be implemented as well which seems to be a feature from v12.5 but not very much exposed.