The attributes you specify on the Identity Server are used in attribute requests and responses, depending on whether you are configuring a service provider (request) or identity provider (response). Attribute sets provide a common naming scheme for the exchange. For example, an attribute set can map an LDAP attribute such as givenName to the equivalent remote name used at the service provider, which might be firstName. These shared attributes can then be used for policy enforcement, user identification, and data injection.
For example, you could have a Web server application that requires the user’s e-mail address. For this scenario, you configure the Web server to be a protected resource of the Access Gateway, and you configure an Identity Injection policy to add the user’s email address to a custom HTTP header. When the user accesses the protected resource, the value of the email attribute is retrieved. However, if you create an attribute set with this attribute, then assign it to be sent with the authentication response of the Embedded Service Provider of the Access Gateway, the value is cached at authentication and is immediately available. If you have multiple attributes that you are using in policies, obtaining the values in one LDAP request at authentication time can reduce the amount of LDAP traffic to your user store.
You can define multiple attribute sets and assign them to different trusted relationships. You can also use the same attribute set for multiple trusted relationships.
To create and configure an attribute set:
In the Administration Console, click Devices > Identity Server > Shared Settings > Attribute Sets > New.
Fill in the following fields:
Set Name: Specify a name for identifying the attribute set.
Select set to use as template: Select an existing attribute set that you have created, which you can use as a template for the new set, or select None. To modify an existing attribute set, select that set as a template.
To add an attribute to the set, click New.
Fill in the following fields:
Specify the attribute. Select from the following:
Local Attribute: Select an attribute from the drop-down list of all server profile, LDAP, and shared secret attributes. For example, you can select All Roles to use in role policies, which enables trusted providers to send role information in authentication assertions. Share secret attributes must be created before they can be added to an attribute set. For instructions, see Section 6.4.1, Creating Shared Secret Names.
Constant: Specify a value that is constant for all users of this attribute set. The name of the attribute that is associated with this value is specified in the Remote Attribute field.
Remote Attribute: Specify the name of the attribute defined at the external provider. The text for this field is case sensitive.
A value is optional if you are mapping a local attribute. If you leave this field blank, the system sends an internal value that is recognized between Identity Servers.
For a SAML 1.1 identity consumer (service provider), a name identifier received in an assertion is automatically given a remote attribute name of saml:NameIdentifier. This allows the name identifier to be mapped to a profile attribute that can then be used in policy definitions.
A value is required if you are mapping a constant.
An attribute set with a constant is usually set up when the Identity Server is acting as an identity provider for a SAML or Liberty service provider. The name must match the attribute name that the service provider is using.
Remote namespace: Specify the namespace defined for the attribute by the remote system:
If you are defining an attribute set for LDAP, select none. If you want a service provider to accept any namespace specified by an identity provider, select none. If you want an identity provider to use a default namespace, select none. The urn:oasis:names:tc:SAML:1.0:assertion value is sent as the default.
If you are defining an attribute set for CardSpace, select the following:
If you are defining an attribute set for WS Federation, select the radio button next to the text box, then specify the following name in the text box.
If you want to specify a new namespace, select the radial button by the text box, then specify the name in the text box.
Remote format: Select one of the following formats:
unspecified: Indicates that the interpretation of the content is implementation-specific.
uri: Indicates that the interpretation of the content is application-specific.
basic: Indicates that the content conforms to the xs:Name format as defined for attribute profiles.
The system displays the map settings on the Define Attributes page, as shown below:
You can continue adding as many attributes as you need.
Click Finish after you created the map.
The system displays the map on the Attribute Sets page, as well as indicating whether it is in use by a provider.
(Conditional) To configure a provider to use the attribute set, see Section 7.6, Selecting Attributes for a Trusted Provider.