Authorize through a SAML attribute query

The requester is authorized by a SAML attribute query-response exchange between the DataPower® Gateway and a SAML server.

To define this authorization method, the AAA policy needs the following data.
  • The location of the SAML server as a URL.
  • The SAML match type for minimum authorization criteria. See Defining SAML attributes for AAA authorization.
    • At least one attribute name in the response from the SAML server must match the name of configured SAML attributes.
    • All attribute names in the response from the SAML server must match the configured SAML attributes.
    • At least one attribute name and its corresponding value in the response from the SAML server must match a name-value pair in the configured SAML attributes.
    • All attribute name-value pairs in the response from the SAML server must match the configured SAML attributes.
    • An XPath expression to match SAML attributes (names or names and values).
  • For XPath expression matching, the operative XPath expression.

    For assistance, click XPath tool. This tool loads an XML document and builds the expression by selecting the node.

    If the defined XPath expression contains namespace elements, you need to provide the namespace or prefix data. Depending on how you are defining the configuration, the way you set namespace data for XPath bindings differs.
    • In the wizard, click XPath binding.
    • In the generic configuration, click the Namespace mapping tab.
  • The value of the NameQualifier attribute of the NameIdentifier in the generated SAML query. Some SAML implementations require this value to be present. The name qualifier is defined in Section 2.4.2.2 of Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1.
  • The SAML protocol version for SAML authorization. The version affects the format of messages that are sent to SAML authorities.
  • The TLS client profile to secure the connection to remote authorization server.
  • When the skew time is set, the SAML assertion expiration takes the time difference into account when the DataPower Gateway uses the SAML token. The skew time is the difference between the DataPower Gateway clock and time on other systems.
    • NotBefore is validated with CurrentTime minus SkewTime.
    • NotOnOrAfter is validated with CurrentTime plus SkewTime.
  • The validation credentials to verify the certificate that signed the SAML message.
    • This property applies to the entire configuration of an AAA policy.
    • In the generic configuration, this property is on the Main tab.
  • The key to sign SAML messages.
    • This property applies to the entire configuration of an AAA policy.
    • In the generic configuration, this property is on the Main tab.
  • The public certificate that is associated with the key to sign SAML messages.
    • This property applies to the entire configuration of an AAA policy.
    • In the generic configuration, this property is on the Main tab.
  • The algorithm for the SignatureMethod to sign SAML messages.
    • This property applies to the entire configuration of an AAA policy.
    • In the generic configuration, this property is on the Main tab.
  • The algorithm to calculate the message digest for signing.
    • This property applies to the entire configuration of an AAA policy.
    • In the generic configuration, this property is on the Main tab.