NameId in SAML assertion customization in Policy Server
search cancel

NameId in SAML assertion customization in Policy Server

book

Article ID: 258861

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

When running Policy Server for the Federation journey, how can the incoming NameID value be modified? Policy Server is IdP side.

 

Resolution


Policy Server as IdP has a feature to customize the Assertion Generator. When configuring the Partnership in the AdminUI, on the "Assertion Configuration" tab, there's a section at the bottom called "Assertion Generator Plug-in" where an indication of where to find your Custom Assertion Generator can be defined.

A sample of the Custom Assertion Generator in the SDK installation can be found to guide the implementation.

On Linux installation to illustrate this:

  /{home_sdk}/samples/assertiongeneratorplugin

  AssertionSample.java 

        /**
         * Change saml:NameIdentifier Format for Authentication statement from "uid" to "email"
         */
        protected boolean ChangeAuthAttribute(Document assertionDoc) throws Exception {
            // Get the node iterator for the XPath
            Node xRoot = assertionDoc.getDocumentElement();

            [...omitted for brevity...]
            
            // Get the current user's path, it is UserDN as this user is authenticated.
            String userDN = userContext.getProp("SM_USERNAME");
            apiContext.trace("Sample Assertion Plugin", "Retrieved user dn from userContext: " + userDN);

            // You can also get the userDN by userContext.getUserName
            apiContext.trace("Sample Assertion Plugin", "Another way to retrieve user dn from userContext: " + userContext.getUserName());

            // Do the user mapping here.
            // You can do some engineering work on the current user's DN
            // or you can compose the mapped user DN with current user's uid, which can be retrieved via userContext.getProp("uid")

            // Get the user's email attribute,
            // if user is the mapped user which is different from the current one,
            // please add "<SMUNRELATEDDN>" prefix string for the input DN.
            String email = userContext.getDnProp("<SMUNRELATEDDN>" + userDN, "mail");

            apiContext.trace("Sample Assertion Plugin", "Retrieved user email from userContext: " + email);
 
Refer to the documentation on how to implement it (1).

 

Additional Information

 

  1. Customizing a SAML Assertion
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/programming/federation-programming/federation-java-sdk/using-the-federation-java-sdk.html#concept.dita_ef99784186a03888687b3317fc84c2612dee5829_CustomizingaSAMLAssertion

Powered by Wolken Software