Multi-Value SAML Assertion Attribute Format
search cancel

Multi-Value SAML Assertion Attribute Format

book

Article ID: 111179

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

In a Federation assertion, attributes with multiple values are by default included as a single attribute with caret (^) delimited values. To illustrate, the attribute will look like this in the assertion :

  <ns2:Attribute Name="MailA1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <ns2:AttributeValue>[email protected]^[email protected]^[email protected]</ns2:AttributeValue>
  </ns2:Attribute>

In this sample, MailA1 is the name of the "Assertion Attribute" that is created in the Federation configuration, and it is pointing to a directory attribute named "Email" which contains email addresses.

Can this type of multi-value attribute use a different delimiter or place each value on it own line?

Environment

Policy Server 12.8.x

Resolution

The FMATTR: prefix can be used to either change the value delimiter to commas or print each value on a separate line.  If FMATTR: is placed in front of the assertion attribute name, each attribute name
will be included on a separate line.

If MailA1 is the "Assertion Attribute" name and "Email" is the directory attribute that contains the values, setting the "Assertion Attribute" Value to FMATTR:Email will result in comma-delimited values
on a single line as follows:

  <ns2:Attribute Name="MailA1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <ns2:AttributeValue>[email protected],[email protected],[email protected]</ns2:AttributeValue>
  </ns2:Attribute>

If the "Assertion Attribute" is defined as FMATTR:MAILA1 and the Value points to the Email directory attribute, each attribute value will be included on a separate line as follows:

  <ns2:Attribute Name="MailA1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:AttributeValue>[email protected]</ns2:AttributeValue>
    <ns2:AttributeValue>[email protected]</ns2:AttributeValue>
    <ns2:AttributeValue>[email protected]</ns2:AttributeValue>
  </ns2:Attribute>

(NOTE: the FMATTR is case sensitive and should always be upper case)

As per documentation, the wording has some specificities. When it's mentioned :


  "use the prefix FMATTR: with the attribute name."

the "attribute name" is in fact the "attribute name" you set in the "Value" field, and not the on in the "Assertion Attribute" field.

As per documentation :

  Assertion Configuration Dialog (SAML 2.0 IdP)

  - Type

  [...]

  User Attribute

  Obtains the attribute by querying a user directory for the attribute
  specified in the Value field.

  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/federation-partnerships-reference/assertion-configuration-dialog-saml-2-0-idp.html

So the "Value" field is the "attribute name" you have in the LDAP User Directory and not the "Assertion Attribute" field.

Powered by Wolken Software