Multi-Value SAML Assertion Attribute Format

book

Article ID: 111179

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

We're running Policy Server and we noted that in Federation assertion
attributes with multiple values are by default included as a single
attribute with caret (^) delimited values. To illustrate, the
attribute will look like this in the assertion :

  <ns2:Attribute Name="MailA1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <ns2:AttributeValue>[email protected]^[email protected]^[email protected]</ns2:AttributeValue>
  </ns2:Attribute>

In this sample, MailA1 is the name of the "Assertion Attribute" that
is created in the Federation configuration, and it is pointing to a
directory attribute named "Email" which contains email addresses.

Can this type of multi-value attribute use a different delimiter or
place each value on it own line ?

If yes, how can we do that ?

 

Environment

 

Policy Server 12.8SP3 on RedHat 7

 

Resolution

 

The FMATTR: prefix can be used to either change the value delimiter
to commas or print each value on a separate line.  If FMATTR: is
placed in front of the assertion attribute name, each attribute name
will be included on a separate line.

If MailA1 is the "Assertion Attribute" name and "Email" is the
directory attribute that contains the values, setting the "Assertion
Attribute" Value to FMATTR:Email will result in comma-delimited values
on a single line as follows:

  <ns2:Attribute Name="MailA1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <ns2:AttributeValue>[email protected],[email protected],[email protected]</ns2:AttributeValue>
  </ns2:Attribute>

If the "Assertion Attribute" is defined as FMATTR:MAILA1 and the Value
points to the Email directory attribute, each attribute value will be
included on a separate line as follows:

  <ns2:Attribute Name="MailA1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:AttributeValue>[email protected]</ns2:AttributeValue>
    <ns2:AttributeValue>[email protected]</ns2:AttributeValue>
    <ns2:AttributeValue>[email protected]</ns2:AttributeValue>
  </ns2:Attribute>


Please note the FMATTR is case sensitive and should always be upper
case.

As per documentation, the wording has some specificities. When it's
mentioned :


  "use the prefix FMATTR: with the attribute name."

the "attribute name" is in fact the "attribute name" you set in the
"Value" field, and not the on in the "Assertion Attribute" field.

As per documentation :

  Assertion Configuration Dialog (SAML 2.0 IdP)

  - Type

  [...]

  User Attribute

  Obtains the attribute by querying a user directory for the attribute
  specified in the Value field.

  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/federation-partnerships-reference/assertion-configuration-dialog-saml-2-0-idp.html

So the "Value" field is the "attribute name" you have in the LDAP User
Directory and not the "Assertion Attribute" field.