WSS does not report or see SAML group attribute from IDP
search cancel

WSS does not report or see SAML group attribute from IDP


Article ID: 206891


Updated On:


Cloud Secure Web Gateway - Cloud SWG


Users successfully single signing onto WSS via SAML are not seeing any group information reported. Any policies applying to these groups will fail to trigger. 


- SAML authentication enabled on WSS, with ADFS acting as SAML IDP server

- Users accessing WSS were correctly redirected to ADFS IDP server, which sent an assertion back to WSS after validating the users credentials

- SAML Assertion included the user information (Subject Name Identifier) as well as the users groups. The SAML AttributeStatement included the group names within the following attribute name 

- This matches the attribute name defined in the WSS SAML configuration below - including case 


Comparison of attribute name in IDP assertion failed to match the attribute name configured on WSS


Two possibilities exist:


1. Add the space character before the http scheme in the WSS SAML configuration so match found

2. Modify the ADFS server to send the SAML Group attribute without the extra character

Additional Information

Always get the HAR file (or SAML tracer) output with SAML issues

Look closely at the AttributeStatement that includes the group information and make sure the attribute name matches that configured character by character

In the above case, there was an extra space character inserted before the attribute name, causing the match to fail.



            <NameID>[email protected]</NameID>

            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                <SubjectConfirmationData InResponseTo="_xxxxxx" NotOnOrAfter="2021-01-11T19:38:44.895Z" Recipient=" " />



        <Conditions NotBefore="2021-01-11T19:33:44.895Z" NotOnOrAfter="2021-01-11T20:03:44.895Z">


                <Audience> </Audience>




            <Attribute Name=" ">




        <AuthnStatement AuthnInstant="2021-01-11T19:33:44.738Z" SessionIndex="_yyyyyy">