NameId in SAML assertion customization in Policy Server
search cancel

NameId in SAML assertion customization in Policy Server


Article ID: 258861


Updated On:


CA Single Sign On Federation (SiteMinder)



When running Policy Server for the Federation journey, how can the incoming NameID value be modified? Policy Server is IdP side.



Policy Server as IdP has a feature to customize the Assertion Generator. When configuring the Partnership in the AdminUI, on the "Assertion Configuration" tab, there's a section at the bottom called "Assertion Generator Plug-in" where an indication of where to find your Custom Assertion Generator can be defined.

A sample of the Custom Assertion Generator in the SDK installation can be found to guide the implementation.

On Linux installation to illustrate this:


         * Change saml:NameIdentifier Format for Authentication statement from "uid" to "email"
        protected boolean ChangeAuthAttribute(Document assertionDoc) throws Exception {
            // Get the node iterator for the XPath
            Node xRoot = assertionDoc.getDocumentElement();

            [...omitted for brevity...]
            // Get the current user's path, it is UserDN as this user is authenticated.
            String userDN = userContext.getProp("SM_USERNAME");
            apiContext.trace("Sample Assertion Plugin", "Retrieved user dn from userContext: " + userDN);

            // You can also get the userDN by userContext.getUserName
            apiContext.trace("Sample Assertion Plugin", "Another way to retrieve user dn from userContext: " + userContext.getUserName());

            // Do the user mapping here.
            // You can do some engineering work on the current user's DN
            // or you can compose the mapped user DN with current user's uid, which can be retrieved via userContext.getProp("uid")

            // Get the user's email attribute,
            // if user is the mapped user which is different from the current one,
            // please add "<SMUNRELATEDDN>" prefix string for the input DN.
            String email = userContext.getDnProp("<SMUNRELATEDDN>" + userDN, "mail");

            apiContext.trace("Sample Assertion Plugin", "Retrieved user email from userContext: " + email);
Refer to the documentation on how to implement it (1).


Additional Information


  1. Customizing a SAML Assertion