Process SAML Attribute Query Request Assertion
The Process SAML Attribute Query Request assertion validates AttributeQuery requests based on user configuration. It also makes values and elements from an AttributeQuery available as context variables.
gateway90
The
Process SAML Attribute Query Request
assertion validates AttributeQuery requests based on user configuration. It also makes values and elements from an AttributeQuery available as context variables.This assertion only supports SAML 2.0.
To learn about selecting the target message for this assertion, see Selecting a Target Message.
Context Variables Created by This Assertion
The Process SAML Attribute Query Request assertion sets the following context variables. The default
<prefix>
is "attrQuery" and can be changed in the assertion properties.The 'subject' context variables in the table below (except for
subject.format
) will not be set if the NameID was encrypted and decryption was not configured.Context variable | Type | Notes |
<prefix> .attributes | Element (multivalued) | All Attribute elements contained in the AttributeQuery. |
<prefix> .subject | String | Value of the Subject's NameID. |
<prefix> .subject.nameQualifier | String | Subject's NameID's NameQualifier attribute value, if provided. |
<prefix> .subject.spNameQualifier | String | Subject's NameID's SPNameQualifier attribute value, if provided. |
<prefix> .subject.format | String | Subject's NameID's Format attribute value, if provided. Never empty; if not supplied, value will be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified . |
<prefix> .subject.spProvidedId | String | Subject's NameID's SPProvidedID attribute value, if present. |
<prefix> .Id | String | AttributeQuery's ID attribute, if present. |
<prefix> .version | String | AttributeQuery's Version attribute, if present. |
<prefix> .issueInstant | String | AttributeQuery's IssueInstant attribute, if present. |
<prefix> .destination | String | AttributeQuery's Destination attribute, if present. |
<prefix> .consent | String | AttributeQuery's Consent attribute. If not supplied, the value will be urn:oasis:names:tc:SAML:2.0:consent:unspecified . |
<prefix> .issuer | String | AttributeQuery's Issuer element's value, if present. |
<prefix> .issuer.nameQualifier | String | Issuer's NameQualifier attribute value, if present. |
<prefix> .issuer.spNameQualifier | String | Issuer's SPNameQualifier attribute value, if present. |
<prefix> .issuer.format | String | Issuer's Format attribute value, if present. |
<prefix> .issuer.spProvidedId | String | Issuer's SPProvidedID attribute value, if present. |
The following variables may also be set:
- If decryption is configured and was performed (Decrypt EncryptedID check box in the properties), then all the context variables from the (Non-SOAP) Decrypt XML Element assertion will also be set. These variables include:<prefix>.elementsDecrypted<prefix>.encryptionMethodUris<prefix>.recipientCertificatesThe prefix used for those variables is the prefix specified in the the properties. For more information, see (Non-SOAP) Decrypt XML Element Assertion.
Using the Assertion
- Do one of the following:
- To add the assertion to the Policy Development window, see Add an Assertion.
- To change the configuration of an existing assertion, proceed to step 2 below.
- Right-clickProcess SAML Attribute Query Requestin the policy window and selectSAML Attribute Query Request Propertiesor double-click the assertion in the policy window. The assertion properties are displayed.
- Configure the dialog as follows:SettingDescriptionAttributeQuery Validation
- SAML Version:Only SAML 2.0 is supported.
- SOAP Encapsulated:Select this check box if the AttributeQuery is encapsulated within a SOAP envelope.
Request ValidationSelect the appropriate check boxes to indicate which attribute or element must be present in an AttributeQuery request:IssuerSignature*IDVersionIssueInstantConsentDestination***This assertion does not validate or verify the signature. To validate the signature, use the (Non-SOAP) Verify XML Element assertion. To remove the signature, use the Add or Remove XML Element(s) assertion.**Select theDestinationcheck box to indicate that a destination attribute is required. If the destination attribute must have an allowed value, enter all allowed values in the adjacent text box. Enter in as many values as needed separated by a space. You may specify URIs or context variables of type String (variables that resolve to an empty string or non-string are ignored and will not cause assertion failure, but a 'Warning' audit is logged). Context variables may contain space-separated URI strings.If an attribute/element has been configured but is missing, the assertion will fail.Subject Validation- Allow:Select the supported Subject identifiers:NameIDEncryptedIDIf [EncryptedID] is permitted, select theDecrypt EncryptedIDcheck box to decrypt the EncryptedID and update the message with the result of the decryption.The "Require Format" and "Allowed NameID Format" validation are applied only when either a NameID was included in the AttributeQuery or if an EncryptedID was received and decrypted. If decryption was not selected, then this validation cannot be performed. Additionally, context variables related to the NameID will not be set.
- Require format:Select this check box to require the Format attribute to be present on the NameID, otherwise the assertion will fail. Clear this check box if the Format attribute is not required. If no format attribute is supplied, it will have the following default value:urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
- Allowed NameID formats:Select the supported NameID formats from the list. By default,urn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedis selected as this is the default value of this attribute when no value is supplied.
- Custom:If the NameID format you need is not listed, enter a set of custom Format URI values here.Enter in as many values as needed separated by a space. You may specify URIs or context variables of type String (variables that resolve to an empty string are ignored and will not cause assertion failure, but a "Warning" audit is logged). Context variables may be single or multivalued. Single-valued variables may contain space-separated URI strings.
SAML Attribute ValidationThis section configures the rules for the saml:Attributes contained in the Attribute Query.- Require Attributes:Select this check box to fail the assertion if an empty AttributeQuery is received. Clear the check box if attributes are not required.
- Verify unique Name + NameFormat:Select this check box to fail the assertion if there are any logical duplicate attributes. Note that the AttributeValue (if any) is not considered in this check.
- Require NameFormat:Select this check box to fail the assertion if the NameFormat attribute is not present. Clear this check box if the NameFormat attribute is not required.
- Allowed NameFormats:Select the supported NameFormats from the list. By default,urn:oasis:names:tc:SAML:2.0:attrname-format:unspecifiedis selected as this is the default value of this attribute when no value is supplied.
- Custom:If the NameFormat you need is not listed, enter a set of custom NameFormat URI values here.Enter in as many values as needed separated by a space. You may specify URIs or context variables of type String (variables that resolve to an empty string are ignored and will not cause assertion failure, but a 'Warning' audit is logged). Context variables may be single or multivalued. Single-valued variables may contain space-separated URI strings.
Variable PrefixEnter a prefix that will be added to the context variables created by this assertion. This prefix will ensure uniqueness and will prevent the variables from overwriting each other when multiple instances of this assertion appear in a policy.The default variable prefix isattrQuery.For an explanation of the validation messages displayed, see Context Variable Validation. - Click [OK]when done.