How to pass SAML Assertion values to the backend application ?

book

Article ID: 224139

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

 

When running Siteminder Policy Server as Service Provider (SP), one
might like to know how to pass the SAMLResponse by header and cookies
to the backend application server. The requirement is to fetch
assertion attributes sent in SAML 2.0 assertion token and place this
as either HTTP Header variable or cookie variable to use this value at
the application side for validation.

 

Environment

 

Policy Server all versions;

 

Resolution

 

There are 2 ways to pass the Assertion Values to HTTP Headers back
server. 1 without the Session Store, and the other with a Session
Store (1).

About the "HTTP Header Redirect Mode", when using RelayState having
a target URL as value, this problably won't work (2).

The Session Store allows the Policy Server to retrieve the Assertion
Attribute value each time it's needed, usually at isAutorized
processing.

 

Additional Information

 

(1)

    Know Why : HTTP Header Redirect Mode OR Persist Variables???

      | HTTP Header Redirect Mode             | Persist Session Variables       |
      |---------------------------------------+---------------------------------|
      | Does not need a Session Store         | Needs a Session Store           |
      | Header from Assertion are Only        | Header from Assertion are       |
      | available on the first redirect       | Persisted in the Session Store. |
      | from WAOP to TARGET. Lost thereafter. |                                 |

    https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=41d04d15-bc90-432c-b6a1-bdb5ea3d03e7&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=digestviewer#bm41d04d15-bc90-432c-b6a1-bdb5ea3d03e7

(2)

    Attributes Send to SP in SAML Assertion also need to be sent as HTTP Header Variables

      A Header using HTTP Redirect Mode is available on the first
      redirect i.e. TARGET URL defined within the Partnership. Once the
      redirect is complete and the application starts to load the HTTP
      Header is lost.

    https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=778499#bm2bae6ccd-92c1-4b16-9076-75abd3dd5158