How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure a hosted SP as an Attribute Query provider in AM 5.x and 6.x?

Last updated Apr 13, 2021

The purpose of this article is to provide assistance with configuring a hosted SP as an Attribute Query provider in AM. This allows the SP to request attributes about a given subject from the Attribute Authority and then process the attributes received. This article also provides information on configuring a hosted IdP as the Attribute Authority in case you have both a hosted IdP and SP on AM.

1 reader recommends this article

Configuring a hosted IdP as the Attribute Authority (optional)

If you have a hosted IdP that you want to act as the Attribute Authority, you need to configure the IdP with the Attribute Authority (AttrAuth) type and map the attributes that will be included in the query from the SP.

To configure your hosted IdP:

  1. On the hosted IdP:
    • AM 6.x console: navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers, select the check box adjacent to the name of the hosted IdP and click New.
    • AM 5.x console: navigate to: Realms > [Realm Name] > Applications > SAML > Circle of Trust Configuration > Entity Providers, select the check box adjacent to the name of the hosted IdP and click New.
  2. Select SAMLv2 as the protocol of the provider.
  3. Complete the following fields on the Create SAMLv2 Entity Provider page:
    • Realm - specify the realm applicable to the IdP.
    • Entity identifier - enter the name of the hosted IdP so it matches the name shown in step 1.
    • Attribute Authority: Meta Alias, Signing certificate alias, Encryption certificate alias - enter a metaAlias applicable to the IdP in the role of Attribute Authority (for example, /attra) and specify the certificate alias values (for example, test to use the test certificate).
  4. Click Create to save your changes. AttrAuth now shows as a Type for your IdP.
  5. Click the name of the hosted IdP entity provider that is of type AttrAuth.
  6. Navigate to IdP > Assertion Processing > Attribute Mapper and enter attribute maps for all the attributes required for the query, for example:
    • cn=cn
    • sn=sn
    • uid=uid
  7. Click Save to save your changes to the IdP.
Note

Ensure you use thread-safe code if you implement the AttributeAuthorityMapper. You can use the attributes on the HttpRequest instead of synchronizing them. The default AttributeAuthorityMapper uses an attribute on the HttpServletRequest to pass information to the AttributeQueryUtil.

Configuring a hosted SP as the Attribute Query provider

If you have a hosted SP that you want to act as the Attribute Query provider, you need to configure the SP with the Attribute Query (AttrQuery) type and map the attributes that will be included in the query.

To configure your hosted SP:

  1. On the hosted SP:
    • AM 6.x console: navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers, select the check box adjacent to the name of the hosted SP and click New.
    • AM 5.x console: navigate to: Realms > [Realm Name] > Applications > SAML > Circle of Trust Configuration > Entity Providers, select the check box adjacent to the name of the hosted SP and click New.
  2. Select SAMLv2 as the protocol of the provider.
  3. Complete the following fields on the Create SAMLv2 Entity Provider page:
    • Realm - specify the realm applicable to the SP.
    • Entity identifier - enter the name of the hosted SP so it matches the name shown in step 1.
    • Attribute Query Provider: Meta Alias, Signing certificate alias, Encryption certificate alias - enter a metaAlias applicable to the SP in the role of Attribute Query provider (for example, /attrq) and specify the certificate alias values (for example, test to use the test certificate).
  4. Click Create to save your changes. AttrQuery now shows as a Type for your SP.
  5. Click the name of the hosted SP entity provider that is of type AttrQuery.
  6. Navigate to SP > Assertion Processing > Attribute Mapper and enter attribute maps for all the attributes required for the query, for example:
    • cn=cn
    • sn=sn
    • uid=uid
  7. Click Save to save your changes to the SP.
Note

Ensure you use thread-safe code if you implement the AttributeAuthorityMapper. You can use the attributes on the HttpRequest instead of synchronizing them. The default AttributeAuthorityMapper uses an attribute on the HttpServletRequest to pass information to the AttributeQueryUtil.

  1. On the hosted IdP (if the hosted IdP is on AM):
    • AM 6.x console: navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers, delete the remote SP entity provider and re-create it to take account of the metadata changes.
    • AM 5.x console: navigate to: Realms > [Realm Name] > Applications > SAML > Circle of Trust Configuration > Entity Providers, delete the remote SP entity provider and re-create it to take account of the metadata changes.
  2. On the hosted SP:
    • AM 6.x console: navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers, delete the remote IdP entity provider and re-create it to take account of the metadata changes.
    • AM 5.x console: navigate to: Realms > [Realm Name] > Applications > SAML > Circle of Trust Configuration > Entity Providers, delete the remote IdP entity provider and re-create it to take account of the metadata changes.

Calling an endpoint from the SP for an Attribute Query

Once you have configured your SP as an Attribute Query provider, you need to create the following jsp pages:

  • One that creates the AttributeQuery and sends it, for example, AttrQuery.jsp
  • One to handle the response, for example, AttrResp.jsp

There are currently no default pages (such as spSSOInit.jsp) for an Attribute Query from a SP, so you will need to create your own pages based on the sample ones provided for the Fedlet: fedletAttrQuery.jsp and fedletAttrResp.jsp. These files can be found in the /fedlet directory in the fedlet.war file.

See Performing Attribute Queries for further information on using these jsp pages to perform attribute queries for the Fedlet.

Note

You should not use the unspecified nameid format for Attribute Queries because it has not been implemented; you can only use transient or x509.

See Also

How do I export and import SAML2 metadata in AM (All versions)?

How do I update metadata for an IdP or SP in AM (All versions) using ssoadm?

How do I change the metaAlias for an existing IdP or SP in AM (All versions)?

FAQ: SAML federation in AM

SAML Federation in AM

SAML v2.0 Guide

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.