simeonof Frequent Contributor.
Frequent Contributor.
811 views

NAM 4.3 SAML AttributeQuery

Hey everybody,

Has anyone tried a SAML AttributeQuery against a NAM IDS? Is it supported at all? What I've found so far is:

SAML attribute query URL: The URL location where an attribute query is to be sent to the partner. The attribute query requests a set of attributes associated with a specific object. A successful response contains assertions that contain attribute statements about the subject. A SAML 1.1 provider might use the base URL, followed by /saml/soap. For example, https://<dns>:8443/nidp/saml/soap. Replace <dns> with the DNS name of the provider.
- this seems like NAM is able to perform attribute queries against another IDP.

Attribute Query from OIOSAML.SP Java Service Provider Fails with Null Pointer#
- seems like there is this kind of functionality, and there's a workaround described for this to work.

NIDS: Received an Attribute Query Request (002e000d)#
This event is generated when you select the Attribute Query Request Handled option under Novell Audit Logging on the Logging page of an Identity Server configuration.
- also makes me believe this is supported.

Unfortunately, I can't find any documentation on the topic, no example code, nothing.

Any help is appreciated. Basically, the goal is NAM IDS (acting as IDP) to be able to send back in the assertion to the SP (non-NAM) some attribute values that the SP requests (and those attributes belong to a different custom-class-object than the logged-in user).

Cheers,
Milko
0 Likes
2 Replies
slongholio Absent Member.
Absent Member.

Re: NAM 4.3 SAML AttributeQuery

Simeonof;2457865 wrote:
Hey everybody,

Any help is appreciated. Basically, the goal is NAM IDS (acting as IDP) to be able to send back in the assertion to the SP (non-NAM) some attribute values that the SP requests (and those attributes belong to a different custom-class-object than the logged-in user).

Cheers,
Milko


I'm taking a swing at it based on limited information. Maybe point to an another replica as an external source (or it says it can't be the same source as your user store, but if it doesn't check ....)? Now to figure out how to map those custom-class attributes to your user, might be the challenge.

https://www.netiq.com/documentation/access-manager-43/admin/data/external_attrb.html

Also note if using virtual attributes, you should patch up to 4.3.1 Hot Fix 1. See "what's new" there.
0 Likes
simeonof Frequent Contributor.
Frequent Contributor.

Re: NAM 4.3 SAML AttributeQuery

slongholio;2457937 wrote:
I'm taking a swing at it based on limited information. Maybe point to an another replica as an external source (or it says it can't be the same source as your user store, but if it doesn't check ....)? Now to figure out how to map those custom-class attributes to your user, might be the challenge.

https://www.netiq.com/documentation/access-manager-43/admin/data/external_attrb.html

Also note if using virtual attributes, you should patch up to 4.3.1 Hot Fix 1. See "what's new" there.


This works fine, but it's not enough. NAM accepts the same LDAP user store as an External Source. I can construct a virtual attribute with all kind of attribute values from all kind of object classes. So far so good.

The thing is that the LDAP query used by NAM to query the External Source is pre-defined with static parameters. These parameters can take their values from LDAP attributes. I need these parameters to be able to take their values from the SAML Authentication Request that NAM IDS is receiving from the SP.

Here's an example (part of it) of an AuthenticationRequest:

<storkp:RequestedAttributes>
<stork:RequestedAttribute Name="http://www.stork.gov.eu/1.0/auth.authenticationPortalUrl"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"
>
<stork:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:anyType"
>https://customs.gravis.bg:8643/eportal/</stork:AttributeValue>
</stork:RequestedAttribute>
<stork:RequestedAttribute Name="http://www.stork.gov.eu/1.0/auth.delegationSystem"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"
>
<stork:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:anyType"
>LD</stork:AttributeValue>
</stork:RequestedAttribute>
<stork:RequestedAttribute Name="http://www.stork.gov.eu/1.0/auth.delegationType"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="false"
/>
<stork:RequestedAttribute Name="http://www.stork.gov.eu/1.0/auth.domain"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"
>
<stork:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:anyType"
>CUST</stork:AttributeValue>
</stork:RequestedAttribute>
<stork:RequestedAttribute Name="http://www.stork.gov.eu/1.0/auth.fallbackLanguage"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="false"
/>
<stork:RequestedAttribute Name="http://www.stork.gov.eu/1.0/auth.preferredLanguage"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="false"
>
<stork:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:anyType"
>en</stork:AttributeValue>
</stork:RequestedAttribute>
<stork:RequestedAttribute Name="http://www.stork.gov.eu/1.0/citizenQAALevel"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"
/>
<stork:RequestedAttribute Name="http://www.stork.gov.eu/1.0/delegator.alternateIdentifier"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="false"
/>
<stork:RequestedAttribute Name="http://www.stork.gov.eu/1.0/delegator.countryCode"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"
/>
<stork:RequestedAttribute Name="http://www.stork.gov.eu/1.0/delegator.firstname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="false"
/>
<stork:RequestedAttribute Name="http://www.stork.gov.eu/1.0/delegator.identifier"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
isRequired="true"
>
<stork:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:anyType"
>BG1234567890</stork:AttributeValue>
</stork:RequestedAttribute>


If you have a look at the above last RequestedAttribute tag, you'll see the value BG1234567890 . I need this value as a parameter in the LDAP query.

If there's another way - I'd be happy to hear it.

Cheers,
Milko
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.