Header-Based Authentication Using SAML

SAML responses from IDP to SP (in the case of identity bridging, Unified Access Gateway) contain SAML assertions, which have SAML attributes. The SAML attributes are configurable in the IDP to point to various parameters such as user name, email and so on.

In the header-based authentication using SAML, the value of a SAML attribute can be sent as an HTTP header to the back-end proxied destination. SAML attribute name defined in Unified Access Gateway is the same as that as in the IDP. For example, if an identity provider has the attribute defined as Name: userName Value: idmadmin, then, SAML attribute name in Unified Access Gateway must be defined as "userName".

SAML attribute that does not match the attribute defined in the IDP is ignored. Unified Access Gateway supports both multiple SAML attributes and multi-valued SAML attributes. Sample excerpts of the SAML assertion expected from an Identity provider are mentioned in the following for each case. For example,

1. SAML response expected from IDP for multiple SAML attributes

<saml:AttributeStatement>
      <saml:Attribute Name="userName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                  <saml:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">idmadmin</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="userEmail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                 <saml:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">63ecfabf-a577-46c3-b4fa-caf7ae49a6a3</saml:AttributeValue>
      </saml:Attribute>
</saml:AttributeStatement>

In the preceding example, an assertion contains two attributes, "userName" and "userEmail". If header-based authentication is configured only for "userName", with the header name being "HTTP_USER_NAME", then the header is sent as: "HTTP_USER_NAME: idmadmin" Since "userEmail" is not configured on Unified Access Gateway for header-based authentication, it is not sent as a header.

2. SAML response expected from IDP for multi-valued SAML attribute

<saml:AttributeStatement>
      <saml:Attribute Name="group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
             <saml:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">All Employees</saml:AttributeValue>
             <saml:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">All Contractors</saml:AttributeValue>
             <saml:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">All Executives</saml:AttributeValue>
             <saml:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">All</saml:AttributeValue> 
     </saml:Attribute>
</saml:AttributeStatement>

In the preceding example, an attribute "group" contains four values, namely "All Employees", "All Contractors", "All Executives", and "All". If header-based authentication is configured only for "group", with the header name being "HTTP_GROUP", the header is sent as "HTTP_GROUP: All Employees, All Contractors, All Executives, All" with a comma-separated list of all the attribute values as the header value.