How do I configure a hosted SP as an Attribute Query provider in AM 6.x?
The purpose of this article is to provide assistance with configuring a hosted SP as an Attribute Query provider in AM. This allows the SP to request attributes about a given subject from the Attribute Authority and then process the attributes received. The Attribute Query happens after the initial assertion has been received. This article also provides information on configuring a hosted IdP as the Attribute Authority in case you have both a hosted IdP and SP on AM.
1 reader recommends this article
Configuring a hosted IdP as the Attribute Authority (optional)
If you have a hosted IdP that you want to act as the Attribute Authority, you need to configure the IdP with the Attribute Authority (AttrAuth) type and map the attributes that will be included in the query from the SP.
To configure your hosted IdP:
- On the hosted IdP, navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers, select the check box adjacent to the name of the hosted IdP and click New.
- Select SAMLv2 as the protocol of the provider.
- Complete the following fields on the Create SAMLv2 Entity Provider page:
- Realm - specify the realm applicable to the IdP.
- Entity identifier - enter the name of the hosted IdP so it matches the name shown in step 1.
- Attribute Authority: Meta Alias, Signing certificate alias, Encryption certificate alias - enter a metaAlias applicable to the IdP in the role of Attribute Authority (for example, /attra) and specify the certificate alias values (for example, test to use the test certificate).
- Click Create to save your changes. AttrAuth now shows as a Type for your IdP.
- Click the name of the hosted IdP entity provider that is of type AttrAuth.
- Navigate to IdP > Assertion Processing > Attribute Mapper and enter attribute maps for all the attributes required for the query, for example:
- cn=cn
- sn=sn
- uid=uid
- Click Save to save your changes to the IdP.
Note
Ensure you use thread-safe code if you implement the AttributeAuthorityMapper. You can use the attributes on the HttpRequest instead of synchronizing them. The default AttributeAuthorityMapper uses an attribute on the HttpServletRequest to pass information to the AttributeQueryUtil.
Configuring a hosted SP as the Attribute Query provider
If you have a hosted SP that you want to act as the Attribute Query provider, you need to configure the SP with the Attribute Query (AttrQuery) type and map the attributes that will be included in the query.
To configure your hosted SP:
- On the hosted SP, navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers, select the check box adjacent to the name of the hosted SP and click New.
- Select SAMLv2 as the protocol of the provider.
- Complete the following fields on the Create SAMLv2 Entity Provider page:
- Realm - specify the realm applicable to the SP.
- Entity identifier - enter the name of the hosted SP so it matches the name shown in step 1.
- Attribute Query Provider: Meta Alias, Signing certificate alias, Encryption certificate alias - enter a metaAlias applicable to the SP in the role of Attribute Query provider (for example, /attrq) and specify the certificate alias values (for example, test to use the test certificate).
- Click Create to save your changes. AttrQuery now shows as a Type for your SP.
- Click the name of the hosted SP entity provider that is of type AttrQuery.
- Navigate to SP > Assertion Processing > Attribute Mapper and enter attribute maps for all the attributes required for the query, for example:
- cn=cn
- sn=sn
- uid=uid
- Click Save to save your changes to the SP.
Note
Ensure you use thread-safe code if you implement the AttributeAuthorityMapper. You can use the attributes on the HttpRequest instead of synchronizing them. The default AttributeAuthorityMapper uses an attribute on the HttpServletRequest to pass information to the AttributeQueryUtil.
- On the hosted IdP (if the hosted IdP is on AM), navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers, delete the remote SP entity provider and re-create it to take account of the metadata changes.
- On the hosted SP, navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers, delete the remote IdP entity provider and re-create it to take account of the metadata changes.
Calling an endpoint from the SP for an Attribute Query
Once you have configured your SP as an Attribute Query provider, you need to create the following jsp pages:
- One that creates the AttributeQuery and sends it, for example, AttrQuery.jsp
- One to handle the response, for example, AttrResp.jsp
There are currently no default pages (such as spSSOInit.jsp) for an Attribute Query from a SP, so you will need to create your own pages based on the sample ones provided for the Fedlet: fedletAttrQuery.jsp and fedletAttrResp.jsp. These files can be found in the /fedlet directory in the fedlet.war file.
See Performing Attribute Queries for further information on using these jsp pages to perform attribute queries for the Fedlet.
Note
You should not use the unspecified nameid format for Attribute Queries because it has not been implemented; you can only use transient or x509.
See Also
How do I export and import SAML2 metadata in AM (All versions)?
How do I update metadata for an IdP or SP in AM (All versions) using ssoadm?
How do I change the metaAlias for an existing IdP or SP in AM (All versions)?
Related Training
N/A
Related Issue Tracker IDs
N/A