Delimiter between group names expected in the SAML response
search cancel

Delimiter between group names expected in the SAML response

book

Article ID: 139609

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE

Issue/Introduction

When EM is configured to use SAML for authentication, the Securing Introscope using SAML 2.0 doc section states that introscope.saml.groupsAttributeName will determine the SAML assertion response attribute that is used as the source of authorization groups.  It does not state how multiple groups are returned.  Are they a single text string with delimiter such as comma, or nested XML elements or something else?

Environment

Release : APM 10.x

Component : APM Enterprise Manager

Resolution

The below shows that you define the attribute name in the response and then provide a series of individual attribute values. 

<saml2:AttributeStatement> 
    <saml2:Attribute FriendlyName="member-of" Name="member-of" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue>group1</saml2:AttributeValue>
        <saml2:AttributeValue>group2</saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>

Below is a specific APM example of an acceptable response:

<Response Destination="http://example.com:8080/saml.jsp" ID="<id>" InResponseTo="<InResponseTo>" IssueInstant="<IssueInstant>" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
  
 <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"><IDP_name></ns1:Issuer>
  
 <Status>
     
 <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  
 </Status>
  
 <ns2:Assertion ID="<id>" IssueInstant="<IssueInstant>" Version="2.0" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">
     
 <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"><IDP_name></ns2:Issuer>
     
 <ns2:Subject>
        
 <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user</ns2:NameID>
        
 <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
           
 <ns2:SubjectConfirmationData InResponseTo="<InResponseTo>" NotOnOrAfter="<NotOneOrAfter>" Recipient="http:/example.com:8080/saml.jsp"/>
        
 </ns2:SubjectConfirmation>
     
 </ns2:Subject>
     
 <ns2:Conditions NotBefore="<NotBefore>" NotOnOrAfter="<NotOneOrAfter>">
        
 <ns2:AudienceRestriction>
           
 <ns2:Audience>com.ca.apm.webview.serviceprovider</ns2:Audience>
        
 </ns2:AudienceRestriction>
     
 </ns2:Conditions>
     
 <ns2:AuthnStatement AuthnInstant="AuthnInstant" SessionIndex="<SessionIndex>==" SessionNotOnOrAfter="SessionNotOneorAfter">
        
 <ns2:AuthnContext>
           
 <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
        
 </ns2:AuthnContext>
     
 </ns2:AuthnStatement>
     
 <ns2:AttributeStatement>
        
 <ns2:Attribute Name="principalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
           
 <ns2:AttributeValue>user</ns2:AttributeValue>
        
 </ns2:Attribute>
        
 <ns2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
           
 <ns2:AttributeValue><username></ns2:AttributeValue>
           
 <ns2:AttributeValue><userName></ns2:AttributeValue>
        
 </ns2:Attribute>
     
 </ns2:AttributeStatement>
  
 </ns2:Assertion>
</Response>