What delimiter between group names is expected in the SAML response
search cancel

What delimiter between group names is expected in the SAML response

book

Article ID: 139609

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE

Issue/Introduction

When EM is configured to use SAML for authentication, the  Securing Introscope using SAML 2.0 doc section states that introscope.saml.groupsAttributeName will determine the SAML assertion response attribute that is used as the source of authorization groups.  It does not state how multiple groups are returned.  Are they a single text string with delimiter such as comma, or nested XML elements or something else?

Environment

Release : APM 10.x

Component : APM Enterprise Manager

Resolution

 

This shows that you define the attribute name in the response and then provide a series of individual attribute values . 

 

<saml2:AttributeStatement> 
    <saml2:Attribute FriendlyName="member-of" Name="member-of" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue>group1</saml2:AttributeValue>
        <saml2:AttributeValue>group2</saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>

Below is a specific APM example of an acceptable response:

 

<Response Destination="http://example.com:8080/saml.jsp" ID="<id>" InResponseTo="<InResponseTo>" IssueInstant="<IssueInstant>" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
   <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion"><IDP_name></ns1:Issuer>
   <Status>
      <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
   </Status>
   <ns2:Assertion ID="<id>" IssueInstant="<IssueInstant>" Version="2.0" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion">
      <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"><IDP_name></ns2:Issuer>
      <ns2:Subject>
         <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">user</ns2:NameID>
         <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <ns2:SubjectConfirmationData InResponseTo="<InResponseTo>" NotOnOrAfter="<NotOneOrAfter>" Recipient="http:/example.com:8080/saml.jsp"/>
         </ns2:SubjectConfirmation>
      </ns2:Subject>
      <ns2:Conditions NotBefore="<NotBefore>" NotOnOrAfter="<NotOneOrAfter>">
         <ns2:AudienceRestriction>
            <ns2:Audience>com.ca.apm.webview.serviceprovider</ns2:Audience>
         </ns2:AudienceRestriction>
      </ns2:Conditions>
      <ns2:AuthnStatement AuthnInstant="AuthnInstant" SessionIndex="<SessionIndex>==" SessionNotOnOrAfter="SessionNotOneorAfter">
         <ns2:AuthnContext>
            <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
         </ns2:AuthnContext>
      </ns2:AuthnStatement>
      <ns2:AttributeStatement>
         <ns2:Attribute Name="principalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <ns2:AttributeValue>user</ns2:AttributeValue>
         </ns2:Attribute>
         <ns2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <ns2:AttributeValue><username></ns2:AttributeValue>
            <ns2:AttributeValue><userName></ns2:AttributeValue>
         </ns2:Attribute>
      </ns2:AttributeStatement>
   </ns2:Assertion>
</Response>

Powered by Wolken Software