Requesting Attribute Values Using a SAMLv2 Assertion
Providers may request attributes (and the corresponding values) from a specific identity profile. A successful response is the return of an assertion containing the requested information. The identity provider acting as the attribute authority uses an implementation of the com.sun.identity.saml2.plugins.AttributeAuthorityMapper interface to process queries. The implementation uses the attribute map table configured in the identity provider's extended metadata which maps attributes in the SAMLv2 assertion to attributes in the local user data store. (If an attribute map is not configured, no attributes will be returned.)
OpenSSO Enterprise contains two custom mappers:
- com.sun.identity.saml2.plugins.DefaultAttributeAuthorityMapper
-
com.sun.identity.saml2.plugins.DefaultAttributeAuthorityMapper maps using the NameID from a single sign-on interaction. To set OpenSSO Enterprise to use a different attribute mapper implementation, modify the value of the default_attributeAuthorityMapper property in the extended metadata of the provider defined as the attribute authority. The mapper value of default_attributeAuthorityMapper is used for a standard attribute queries
- com.sun.identity.saml2.plugins.X509SubjectAttributeAuthorityMapper
-
com.sun.identity.saml2.plugins.X509SubjectAttributeAuthorityMapper maps using the value of the X.509 Subject in the certificate in the NameID. To set OpenSSO Enterprise to use a different attribute mapper implementation, modify the value of the x509Subject_attributeAuthorityMapper property in the extended metadata of the provider defined as the attribute authority. The mapper value of x509Subject_attributeAuthorityMapper is used for attribute queries with an X509 certificate. The X509 mapper maps an X509 subject to a user by searching the identity data store for the attribute defined as the value of the x509SubjectDataStoreAttrName property in the identity provider extended metadata of the attribute authority. If the user has the specified attribute and the attribute's value is the same as that of the X509 subject in the attribute query, the user will be used.
Only SOAP binding is supported for these communications. Signing is required so make sure the Signing Certificate Alias attribute of any provider acting as the attribute requester and the attribute authority is configured. The ssoadm command line interface can be used to create and import the service provider metadata. The following tags must be in the standard metadata of the service provider (querying provider).
<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:query="urn:oasis:names:tc:SAML:metadata:ext:query" xsi:type="query:AttributeQueryDescriptorType" protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol"> </RoleDescriptor>
The following tags must be in the extended metadata of the service provider (querying provider).
<AttributeQueryConfig metaAlias="/attrq">
<Attribute name="signingCertAlias">
<Value>test2</Value>
</Attribute>
<Attribute name="encryptionCertAlias">
<Value>test2</Value>
</Attribute>
</AttributeQueryConfig>
Use the following options to create the appropriate tags in the service provider's metadata. See Part I, Command Line Interface Reference, in Sun OpenSSO Enterprise 8.0 Administration Reference for more information.
- --attrqueryprovider, -S
-
Specify a metaAlias for the hosted querying provider. The format must be realm name/identifier.
- --attrqscertalias, -A
-
Specify a signing certificate alias.
- --attrqecertalias, -R
-
Specify an encryption certificate alias.
The ssoadm command line interface can also be used to create and import the identity provider metadata. The following tags must be in the standard metadata of the identity provider (attribute authority).
<AttributeAuthorityDescriptor protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol"> </AttributeAuthorityDescriptor>
The following tags must be in the extended metadata of the identity provider (attribute authority). Note the presence of the x509SubjectDataStoreAttrName attribute.
<AttributeAuthorityConfig metaAlias="/attra"> <Attribute name="signingCertAlias"> <Value>test2</Value> </Attribute> <Attribute name="encryptionCertAlias"> <Value>test2</Value> </Attribute> <Attribute name="default_attributeAuthorityMapper"> <Value>com.sun.identity.saml2.plugins.DefaultAttributeAuthorityMapper</Value> </Attribute> <Attribute name="x509Subject_attributeAuthorityMapper"> <Value>com.sun.identity.saml2.plugins.X509SubjectAttributeAuthorityMapper</Value> </Attribute> <Attribute name="x509SubjectDataStoreAttrName"> <Value></Value> </Attribute> </AttributeAuthorityConfig>
Use the following options to create the appropriate tags in the identity provider's metadata. See Part I, Command Line Interface Reference, in Sun OpenSSO Enterprise 8.0 Administration Reference for more information.
- --attrauthority, -I
-
Specify a metaAlias for the hosted attribute authority. The format must be realm name/identifier.
- --attrascertalias, -B
-
Specify a signing certificate alias.
- --attraecertalias, -G
-
Specify an encryption certificate alias.
To initiate this query, create and import the standard and extended metadata for both the service provider and identity provider. Add the mapped values to the attributeMap property in the extended identity provider metadata in the following format:
attribute in SAML assertion=local attribute
Tip –
You can specify the attributes to be returned in the Attribute tag of the AttributeAuthorityDescriptor element of the identity provider standard metadata. If this attribute has no value, all requested attributes will be returned.
To send an attribute query from the provider use the method of com.sun.identity.saml2.profile.AttributeQueryUtil.
public static Response sendAttributeQuery( AttributeQuery attrQuery, String attrAuthorityEntityID, String realm, String attrQueryProfile, String attrProfile, String binding) throws SAML2Exception;
To construct an AttributeQuery object, use the com.sun.identity.saml2.assertion.* and com.sun.identity.saml2.protocol.* packages.
- © 2010, Oracle Corporation and/or its affiliates