SAML SP assertion attributes as JWT token to backend Target app
searchcancel
SAML SP assertion attributes as JWT token to backend Target app
book
Article ID: 259316
calendar_today
Updated On:
Products
SITEMINDERCA Single Sign On Agents (SiteMinder)CA Single Sign On Federation (SiteMinder)CA Single Sign On Secure Proxy Server (SiteMinder)
Issue/Introduction
When running a Policy Server acting as Service Provider (SP), how to translate an incoming SAMLResponse assertion, which includes the custom attributes, into a JSON Token to send to the backend application?
Cause
Resolution
There are multiple custom options to achieve this:
Using the CA API Gateway. This would be an out of the box solution with no customization:
Requirement:
- CA Access Gateway (SPS) or Web Agent Option Pack (WAOP); - Policy Server - CA API Gateway;
Flow:
a. The Siteminder Service Provider (SP) service consumes the assertion and generates a SMSESSION cookie and stores the assertion attributes as session variables in the Session Store;
b. Request redirected to Application (must be same cookie domain as the Federation Web Services) where application will read the cookie header and fetch the SMSESSION cookie and call the CA API Gateway;
c. The CA API Gateway receives the request from the application along with the cookie, decodes it and performs a request to a virtual protected resource from the Policy Server where the session gets validated followed by an Authorization request where a response is tied to the policy set to return the session variables as headers;
d. The CA API Gateway receives the response with all the header variables from Policy Server authorization responses, and it generates a JWT token that can be signed (optional) and sent back to application;
e. The Application will need to have the ability to decode and verify the signature of the Token and process the Token data which will include all the assertion attributes;
Using the OIDC code flow. A Custom Claim will be needed:
Requirement:
- CA Access Gateway (SPS); - Policy Server; - Custom OIDC claim to return session variables; - The application will need to support OIDC flow;
Flow:
a. The Siteminder Service Provider (SP) consumes the assertion and generates SMSESSION cookie and stores the assertion attributes as session variables in the Session Store;
b. The Request is redirected to Application which triggers an OIDC code flow to Siteminder as the Authorization Provider;
c. Siteminder as Authorization Provider validates the SMSESSION and use it to generate the OIDC tokens with the user info considering that a custom claim will be written to fetch the session variables from the Session Store and return it as claims in the Token;
Use custom JAVA active response to generate the JWT token:
Requirement:
- Web Agent Option Pack (WAOP) or CA Access Gateway (SPS); - Policy Server; - Custom Java active response to generate JWT token;
Flow:
a. Siteminder Service Provider (SP) service consumes the assertion and generates a SMSESSION cookie and stores the assertion attributes as session variables in the Session Store and sends the request to backend application;
b. The backend application needs to call a protected resource tied to an Active JAVA response (Custom code) which will read the session variables and generates a JWT token);
c. The Application will need to have the ability to decode and verify the signature of the Token and process the token data which will include all the assertion attributes.
Use the CA Access Gateway (SPS) AZ Web service (1) to return a JSON response with the needed headers (no custom code needed):
Requirement:
- CA Access Gateway (SPS); - Policy Server;
Flow:
a. Siteminder Service Provider (SP) service consumes the assertion and generates SMSESSION cookie and stores the assertion attributes as session variables in the Session Store and sends the request to backend application;
b. The backend application calls the AZ web Service on the CA Access Gateway (SPS) and passes the Session Token (SMSESSION) where the response will be returned by the Az web service in JSON: