Symantec Access Management

Hello All,

How do I use the HTTP header and cookie information within the customizeAssertion method of the assertion generator plugin?
I would like to change the assertion attribute to be given by user's selection (reflecting it in HTTP header and cookie information).

Thank You

Takahiro Tsutsui

Hello,

SAML assertions can be sent over a back channel, so we cannot assume that user information exists in the HTTP header variables or cookies when the customizeAssertion method is invoked.
Regarding the user information associated with generated SAML assertion, a UserContext object is passed as the second parameter of the customizeAssertion method.

Cheers,

Seiji

Hi Seiji.
Thank you for your reply.

I do not want user information.
I want information on results selected by the user.

·Screen transition
    User selection screen ⇒ Redirect ⇒ Samur assertion issue screen

·Image of user selection screen

===
Which attribute do you want to log in?
■ E-mail address
□ Full name
===

⇒ In the above case, assign an e-mail address to the assertion attribute
　and throw it to the SP side.

In the user selection screen, put the selection result (this time "mail address selected") in HTTPHeder or Cookie,
If you can pass it to the customizeAssertion method called on the Samur assertion issue screen, I think that the above operation can be realized.

Hi,

Let me try rephrasing the requirements.

Precondition: User has logged in the CA SSO IdP locally.

Requirements: Logged-in users can choose their email address or full name as their identity in SAML assertion to be passed to the SP.

Did I understand correctly?

Hi.
Thank you for your reply.

I am afraid I can not write the preconditions.
I think you understand it correctly.

Thank You

Takahiro Tsutsui

How about storing the chosen attribute in any unused user attribute in the User Directory and using it as Name ID in the Assertion Configuration of Federation Partnership?

The customizeAssertion method isn't used at all.

Cheers,

Seiji

Hi.

Thanks for your advice.

We are considering how to store the selected attributes in the user directory.
* It seems difficult to realize due to user directory restrictions

Other,
We are considering tampering with assertions and adding attributes.
* Because there is a possibility of using encryption and signature, hope is thin.

If you have any other good ideas, please let me know.

Thank You

Takahiro Tsutsui

Hi,

The sample program "SAML2AppAttrPlugin.java" in CA SSO SDK may satisfy your requirements.
According the comments in the source file, its function is described as below:

 * This is an example of a SAML 2.0 Assertion Generator Plug-in.  This plug-in
 * is designed specifically to work with the sample_application.jsp which is
 * shipped with the Web Agent Option Pack as part of Federation Web Services.
 * The sample_application.jsp accepts two attributes from user input (NUM and
 * LANG), and inserts them into the Attribute Statement with Attribute Name
 * Formats of "basic".

Cheers,
Seiji