CA API Gateway 9.1

9.4 9.1

Evaluate SAML Protocol Response Assertion

The Evaluate SAML Protocol Response assertion is used to evaluate a SAML Protocol response. To create a SAML Protocol response, use the Build SAML Protocol Response assertion.
gateway90
The 
Evaluate SAML Protocol Response 
assertion is used to evaluate a SAML Protocol response. To create a SAML Protocol response, use the Build SAML Protocol Response assertion.
To learn about selecting the target message for this assertion, see Select a Target Message.
The Evaluate SAML Protocol Response assertion is typically used as follows in a policy:
Build SAML Protocol Request
Route via HTTP(S)
Evaluate SAML Protocol Response
You can use context variables in many of the text fields in the wizard. These variables are evaluated at runtime as the SAMLP response is being constructed.
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Add an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. Right-click 
    <target>:
    Evaluate SAML Protocol Response
     in the policy window and select 
    SAML Protocol Response Wizard
     or double-click the assertion in the policy window. The wizard appears.
  3. Follow the wizard to complete the assertion.
For more information about wizards, see "Wizard" under Interfaces.
Wizard Step
Descriptions
Step 1: Introduction
Introduces the wizard.
Step 2: Target Message
Specify the location of the SAMLP response message for the evaluator to parse:
Request
,
Response
, or some
Other Message Variable
, with the default being "${samlpResponse.message}". For more information on message type variables, see Context Variables. To learn how to change the message target, see Select a Target Message
Step 3: SAML Version
Specify the version of the SAMLP response that will be evaluated by this assertion.
Step 4: SAMLP Response Type
Specify the type of SAMLP response being evaluated:
  • Authentication Request:
     The response contains authentication statements.
    Note:
     The Authentication Request option is available only when SAML 2.0 was selected in Step 3.
  • Authorization Decision Request:
     The response contains statements that assert a subject is permitted to perform a specified action on a specified resource.
  • Attribute Query Request:
     The response contains a list of attributes for the subject.
Step 5: Response Status
Indicate whether the Evaluate SAML Protocol Message assertion should fail if the response status could not be successfully retrieved.
The system will always set the top level ResponseStatus onto the context variable
samlpResponse.status
.
Step 6: Authorization Validation
This step is displayed only if "Authorization Decision Request" was selected in step 4.
Specify whether the assertion should fail based on the SAMLP response:
  • To never fail the assertion based a retrieved response, clear the
    Fail the assertion...
     check box.
  • To fail the assertion unless the response matches your specified choice, select the
    Fail the assertion...
     check box and then choose a response from the drop-down list. The default is
    Permit
    , which means the assertion will fail unless the SAMLP response is 'Permit'.
The Authorization Decision Statement is stored in the context variable
samlpResponse.authz.decision
.
Step 7: Attribute Statement
Specify the SAML attributes that the SAML statement
must
 describe.
  1. Click [
    Add
    ] and then complete the Edit SAML Attribute Properties dialog:
    • Attribute Name:
       Enter the name of the attribute.
    • Attribute Namespace:
       Optionally enter a namespace for the attribute. This applies only to SAML 1.x.
    • Attribute Name Format:
       Optionally specify a URI reference that describes the format of the attribute name. Only attributes that declare this format will be accepted. This applies only to SAML 2.x.
    Unspecified:
     If no name format is provided, the default value of
    urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
     is used.
    URI Reference:
     This option uses the URI
    urn:oasis:names:tc:SAML:2.0:attrname-format:uri
    Basic:
     This option uses the URI
    urn:oasis:names:tc:SAML:2.0:attrname-format:uri
    .
    Other:
     Select this option to define your own attribute name format in the box below.
    • Attribute Friendly Name:
       Optionally enter a friendly name for the attribute to be used for display purposes. This applies only to SAML 2.x
    • Attribute Value:
       If defining your own attribute name format, enter it here.
  2. Click [
    OK
    ] to enter the attribute into the table. Repeat to configure additional attributes.
To modify an existing Attribute Statement, select it from the list and then click [
Edit
].
To remove an Attribute Statement, select it from the list and then click [
Remove
].

Content feedback and comments