SAML assertion truncation when the size is more than 1024

book

Article ID: 37233

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

SAML assertion was getting truncated at the relying party when the
attributes are being sent in an assertion and if user is a part of
groups which has size more than 1024.

 

Cause

 

In R12 SP3:

The following issues occur:

The directory attributes appear truncated at the relying party.

The following message appears in the smtracedefault.log file:

  [WARNING: Response attribute will be trimmed. [attr =
  SMUSERGRP:memberOf] [actual attr len = number] [ response attr len =
  number]]

Note: In the Warning message, SMUSERGRP represents the variable name
and memberOf represents the attribute value. The error message is
specific to your configuration.

This issue comes when the size of the header/attribute which is larger
than 1024 will be sent in an assertion as the relying
party/consumer/service provider will receive a truncated attribute in
an assertion and will not be able to authorize the users based on
that.

 

Environment

 

Policy Server all versions

 

Resolution

 

As in previous versions there was no limit and it was based on purely
the web server size limit for header, but after 12 SP3, the things got
changed. So, if the header size of the user attribute size is more
than 1024 then we need to increase the value of the following fields
to resolve the issue.

We need to change the value of the below fields in the file name

  "EntitlementGenerator.properties" 

and this file name would be present in the path

  "<<PS_Installation_path>>\config\properties"

So, based on the type of federation, we can increase the value of the
field in the above file.

  com.netegrity.assertiongenerator.wsfed.MaxUserAttributeLength=1024
  com.netegrity.assertiongenerator.saml1.MaxUserAttributeLength=1024
  com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength=1024

The value is an integer and has limit of 2,147,483,647. Note that a
limit might be imposed by Web Servers for the headers (1). The value
doesn't include the <attribute> tag.

 

Additional Information

 

(1)

    What is the maximum size of HTTP header values?
    
      Most web servers have their own set of size limits on HTTP request
      headers. The HTTP Header values are restricted by server
      implementations. The following are the limits of some of the most
      popular web servers −

      | Web Server | Size Limit |
      |------------+------------|
      | Apache     | 8K         |
      | Nginx      | 4K-8K      |
      | IIS        | 8K-16K     |
      | Tomcat     | 8K-48K     |

    https://www.tutorialspoint.com/What-is-the-maximum-size-of-HTTP-header-values