The Junos Pulse Secure Access Service (SSL VPN) 7.4 offers support for inclusion of Security Assertion Markup Language (SAML) basic attributes in profiles. This feature would enable the SA to send SAML Attirbute statements in the SAML Assertions when configured as an Identity Provider.
The inclusion of SAML Attirbute statements would be benificial to SAML Service Providers (SPs) who perform Authorization based on the SAML Attributes.
Please drop in any questions you may have on this exciting new feature. As always, we promise to do our best in getting them answered :-)
Can you help determine what the proper syntax is for the user name tempate field when our SAML attribute statements are passed through as Object Identifier Numbers?
IÕm having issues getting the Juniper appliance to pick up the userID from the attribute assertion. On the juniper appliance under the Auth ServerÓ configuration page, there is a User Name TemplateÓ field where youÕre supposed to define the attribute name for the userID. Examples given by juniper are:
Example: <assertionNameDN.uid>, uid from X509SubjectName.
The entire assertion name identifier if not specified; Or
<userAttr.attr>, attr from AttributeStatement attributes.
I first tried to leave the field blank so that it gets the name identifier from the entire assertion. That allows me to login, but the UserID from the juniper logs is some random string of numbers which means nothing to us because we canÕt correlate that back to an actual user. I tried various other methods like:
1) <userAttr.urn: oid:XXX.XXX.XXXX> (where XXX is the object identifier for our userID attribute)
2) urn: oid:XXX.XXX.XXXX
6) When I use the examples that begin with <Ó and end in >Ó, I get Invalid Assertion ErrorÓ on the juniper side after authenticating. If I leave out the brackets, the value that gets returned as the UserID is literally what is typed in the Name Template Field. So in example 2, the signed in user was urn: oid:XXX.XXX.XXXXÓ and example 5 returned uidÓ
If the attribute statement from IDP that has the userID value is userAttr.urnid:XXX.XXX.XXXX, how do I properly configure Secure Access to consume that attribute as the userID?
Could you paste the actual assertion generated by your IDP and point out the specific attribute you would like the SA to use as the username here?