NameId in SAML assertion customization in Policy Server
search cancel

NameId in SAML assertion customization in Policy Server

book

Article ID: 258861

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

When running Policy Server for the Federation journey, how can the incoming NameID value be modified? Policy Server is IdP side.

 

Resolution

 

Policy Server as IdP has a feature to customize the Assertion Generator. When configuring the Partnership in the AdminUI, on the "Assertion Configuration" tab, there's a section at the bottom called "Assertion Generator Plug-in" where an indication of where to find your Custom Assertion Generator can be defined.

A sample of the Custom Assertion Generator in the SDK installation can be found to guide the implementation.

On Linux installation to illustrate this:

  /opt/CA/sdk/samples/assertiongeneratorplugin

  AssertionSample.java 

        /**
         * Change saml:NameIdentifier Format for Authentication statement from "uid" to "email"
         */
        protected boolean ChangeAuthAttribute(Document assertionDoc) throws Exception {
            // Get the node iterator for the XPath
            Node xRoot = assertionDoc.getDocumentElement();

            [...omitted for brevity...]
            
            // Get the current user's path, it is UserDN as this user is authenticated.
            String userDN = userContext.getProp("SM_USERNAME");
            apiContext.trace("Sample Assertion Plugin", "Retrieved user dn from userContext: " + userDN);

            // You can also get the userDN by userContext.getUserName
            apiContext.trace("Sample Assertion Plugin", "Another way to retrieve user dn from userContext: " + userContext.getUserName());

            // Do the user mapping here.
            // You can do some engineering work on the current user's DN
            // or you can compose the mapped user DN with current user's uid, which can be retrieved via userContext.getProp("uid")

            // Get the user's email attribute,
            // if user is the mapped user which is different from the current one,
            // please add "<SMUNRELATEDDN>" prefix string for the input DN.
            String email = userContext.getDnProp("<SMUNRELATEDDN>" + userDN, "mail");

            apiContext.trace("Sample Assertion Plugin", "Retrieved user email from userContext: " + email);
 

Refer to the documentation on how to implement it (1).

 

Additional Information

 

(1)

     Customizing a SAML Assertion

       An enterprise can modify the content of an assertion based on the
       business agreements between the federated partners. For example,
       one partner can require user-friendly name equivalents for the
       attributes in the assertion. Or, a partner can opt to include the
       XML-type designation for each attribute in the assertion.

       The federation system creates SAML assertions with its
       implementation of the AssertionGeneratorPlugin.java interface. An
       Application Developer can enhance the contents of the SAML
       assertion by overwriting the existing implementation class.