WSS does not report or see SAML group attribute from IDP

book

Article ID: 206891

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Users successfully single signing onto WSS via SAML are not seeing any group information reported. Any policies applying to these groups will fail to trigger. 

Cause

Comparison of attribute name in IDP assertion failed to match the attribute name configured on WSS

Environment

- SAML authentication enabled on WSS, with ADFS acting as SAML IDP server

- Users accessing WSS were correctly redirected to ADFS IDP server, which sent an assertion back to WSS after validating the users credentials

- SAML Assertion included the user information (Subject Name Identifier) as well as the users groups. The SAML AttributeStatement included the group names within the following attribute name

http://schemas.xmlsoap.org/claims/Group 

- This matches the attribute name defined in the WSS SAML configuration below - including case 

Resolution

Two possibilities exist:

 

1. Add the space character before the http scheme in the WSS SAML configuration so match found

2. Modify the ADFS server to send the SAML Group attribute without the extra character

Additional Information

Always get the HAR file (or SAML tracer) output with SAML issues

Look closely at the AttributeStatement that includes the group information and make sure the attribute name matches that configured character by character

In the above case, there was an extra space character inserted before the attribute name, causing the match to fail.

 

<Subject>

            <NameID>[email protected]</NameID>

            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <SubjectConfirmationData InResponseTo="_e8688a4abb07bef62d90c31a5a3b03fd56432c177d6c67f71656c0de1b89d39f" NotOnOrAfter="2021-01-11T19:38:44.895Z" Recipient="https://saml.threatpulse.net:8443/saml/saml_realm/bcsamlpost " />

            </SubjectConfirmation>

        </Subject>

        <Conditions NotBefore="2021-01-11T19:33:44.895Z" NotOnOrAfter="2021-01-11T20:03:44.895Z">

            <AudienceRestriction>

                <Audience>https://saml.threatpulse.net:8443/saml/saml_realm </Audience>

            </AudienceRestriction>

        </Conditions>

        <AttributeStatement>

            <Attribute Name="  http://schemas.xmlsoap.org/claims/Group ">

                <AttributeValue>xxxxx\yyyyyy</AttributeValue>

            </Attribute>

        </AttributeStatement>

        <AuthnStatement AuthnInstant="2021-01-11T19:33:44.738Z" SessionIndex="_ac6f68ac-249e-4e1a-971e-d006a017f4ea">

            <AuthnContext>

                <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>

            </AuthnContext>

        </AuthnStatement>