Accessing SAML Attributes in OLAC

As previously mentioned, SAML assertions can contain user attribute information. When SAML attributes are found in incoming SAML assertions, the attribute data is cached by iChain for later use in object level access control (OLAC). As with LDAP attributes, SAML attributes can be sent to back-end Web servers as OLAC parameters. This is done by specifying SAML as the OLAC DataSource and the SAML Attribute name as the OLAC Value. For example, consider that you have a protected resource where you are sending the users email address as an OLAC parameter, as shown in Figure 64:

Figure 64
Protected Resource Using User E-mail as OLAC Parameter

In this example, the OLAC parameter reads the mail LDAP attribute and sends it as InternetMail to the back-end Web server.

In this example, you want the OLAC parameter to be available for a user who logs directly into the protected resource using the directory. However, a user who accesses the site via a SAML assertion has a SAML attribute that has his or her e-mail address, so when he or she accesses the protected resource with SAML, you want the SAML value to be used instead. This is done by creating another OLAC parameter definition with the same name as the first, InternetMail. The DataSource is now SAML rather than LDAP, and the value is the name of the SAML attribute in the assertion. If you were receiving the SAML attribute named UserEmailAddress, the OLAC parameter would be as shown in Figure 65:

Figure 65
OLAC Parameter When SAML Attribute Is UserEmailAddress

When the user accesses the site using SAML, the value of the SAML UserEmailAddress attribute is used in place of the LDAP mail attribute. If no SAML UserEmailAddress attribute is available, the LDAP mail address is used.