When EM is configured to use SAML for authentication, the Securing Introscope using SAML 2.0 doc section states that introscope.saml.groupsAttributeName will determine the SAML assertion response attribute that is used as the source of authorization groups. It does not state how multiple groups are returned. Are they a single text string with delimiter such as comma, or nested XML elements or something else?
Release : APM 10.x
Component : APM Enterprise Manager
The below shows that you define the attribute name in the response and then provide a series of individual attribute values.
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="member-of" Name="member-of" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>group1</saml2:AttributeValue>
<saml2:AttributeValue>group2</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
Below is a specific APM example of an acceptable response:
<Response Destination="http://example.
<ns1:Issuer Format="urn:oasis:names:tc:
<Status>
<StatusCode Value="urn:oasis:names:tc:
</Status>
<ns2:Assertion ID="<id>" IssueInstant="<IssueInstant>" Version="2.0" xmlns:ns2="urn:oasis:names:tc:
<ns2:Issuer Format="urn:oasis:names:tc:
<ns2:Subject>
<ns2:NameID Format="urn:oasis:names:tc:
<ns2:SubjectConfirmation Method="urn:oasis:names:tc:
<ns2:SubjectConfirmationData InResponseTo="<InResponseTo>" NotOnOrAfter="<NotOneOrAfter>" Recipient="http:/example.com:8080/saml.jsp"/>
</ns2:SubjectConfirmation>
</ns2:Subject>
<ns2:Conditions NotBefore="<NotBefore>" NotOnOrAfter="<NotOneOrAfter>">
<ns2:AudienceRestriction>
<ns2:Audience>com.ca.apm.
</ns2:AudienceRestriction>
</ns2:Conditions>
<ns2:AuthnStatement AuthnInstant="AuthnInstant" SessionIndex="<SessionIndex>==" SessionNotOnOrAfter="SessionNotOneorAfter">
<ns2:AuthnContext>
<ns2:AuthnContextClassRef>urn:
</ns2:AuthnContext>
</ns2:AuthnStatement>
<ns2:AttributeStatement>
<ns2:Attribute Name="principalName" NameFormat="urn:oasis:names:
<ns2:AttributeValue>user</ns2:
</ns2:Attribute>
<ns2:Attribute Name="groups" NameFormat="urn:oasis:names:
<ns2:AttributeValue><username></ns2
<ns2:AttributeValue><userName></ns2
</ns2:Attribute>
</ns2:AttributeStatement>
</ns2:Assertion>
</Response>