000025807 - How to retrieve attributes from a FIM IdP

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025807
Applies ToRSA Federated Identity Management Module (FIM) 3.1
Microsoft Windows 2003 Server
Solaris 10.0 (SPARC)
IssueHow to retrieve attributes from FIM IdP
Attribute is not showing up in SAML Messages
CauseFIM is not configured properly to retrieve the attributes.
Resolution

If you wish to have attributes sent from an IdP to an SP (in the SAML Response message) then a number of tasks need to be carried out on both systems which include passing the metadata file from the SP over to the IdP.

If you are using ClearTrust 5.5.3 (Access Manager 6.x) then the CTBasicAttributePluginRP plug-in should be loaded on the SP and the CTBasicAttributePluginAP plug-in should be loaded on the IdP.  Where the these plug-ins are being used there is a one-to-one relationship between a ClearTrust property defined for a user with a SAML attribute which will be tranferred.

When using the database plug-in or the LDAP plug-in make sure that you have reviewed the steps in the last 5 pages of chapter 9 of the RSA Federated Identity Manager Installation and Configuration Guide.

If you chose to write a custom attribute plug-in then you should follow the design notes in the FIM developers guide.

Now the following steps should be carried out on the SP.

1. In the FIM Administration Console, click Components > Attribute Sets, Add New.  Choose a name for the set and select the  For requesting, as an Attribute Requestor or as a Service Provider radio button.

2. For each attribute that you want set (as part of the set) add the Attribute name (the Attribute Friendly Name will default to the same value) and leave the Name Format as Basic.  When you are happy with the list of attributes press the Save & Finish button.

3. Edit the local entity settings (click Entities > Local Entities > Manage Existing then select to edit the particular local entity).  Press Save & Continue button on the first screen, then scroll down to the Applications and Attribute Consuming Services where you can now select the newly created attribute set to allow the entity to accpt the attribute set.

4. Click Save & Finish then export the metadata for this entity.

5. Edit the Association settings for the SAML relationship (click Entities > Associations > Manage Existing then select to edit the particular association).  Press Save & Continue button on the second screen chose the General Settings tab.  Under the Attribute Plug-ins section ensure that the desired plug-in has been selected as a Relying Party Attribute Plug-in.

Now follow these steps on the IdP

6. Import (or re-import) the SP metadata file created in step 4 above.

7. Edit the Association settings for the SAML relationship (click Entities > Associations > Manage Existing then select to edit the particular association).  Press Save & Continue button on the second screen chose the General Settings tab.  Under the Attribute Plug-ins section ensure that the desired plug-in has been selected as a Asserting Party Attribute Plug-in.

Documentation for full administration creating plugins and configuration can be found on SecurCare online at:

RSA Federated Identity Manager 3.1 Planning Guide
https://knowledge.rsasecurity.com/docs/rsa_fim/fim31/plan.pdf

 

RSA Federated Identity Manager 3.1 Installation & Configuration Guide

https://knowledge.rsasecurity.com/docs/rsa_fim/fim31/install.pdf

 

RSA Federated Identity Manager 3.1 Developer's Documentation

https://knowledge.rsasecurity.com/docs/rsa_fim/fim31/devguide.zip

Legacy Article IDa31740

Attachments

    Outcomes