SAML assertion was getting truncated at the relying party when the
attributes are being sent in an assertion and if user is a part of
groups which has size more than 1024.
Policy Server all versions
In R12 SP3:
The following issues occur:
The directory attributes appear truncated at the relying party.
The following message appears in the smtracedefault.log file:
[WARNING: Response attribute will be trimmed. [attr = SMUSERGRP:memberOf] [actual attr len = number] [ response attr len = number]]
Note: In the Warning message, SMUSERGRP represents the variable name
and memberOf represents the attribute value. The error message is
specific to your configuration.
This issue comes when the size of the header/attribute which is larger
than 1024 will be sent in an assertion as the relying party/consumer/service provider will receive a truncated attribute in
an assertion and will not be able to authorize the users based on that.
As in previous versions there was no limit and it was based on purely
the web server size limit for header, but after 12 SP3, the things got changed.
So, if the header size of the user attribute size is more than 1024, then we need to increase the value of the following fields
to resolve the issue.
We need to change the value of the below fields in the file name
"EntitlementGenerator.properties"
and this file name would be present in the path
"<<PS_Installation_path>>\config\properties"
So, based on the type of federation, we can increase the value of the
field in the above file.
com.netegrity.assertiongenerator.wsfed.MaxUserAttributeLength=1024
com.netegrity.assertiongenerator.saml1.MaxUserAttributeLength=1024
com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength=1024
The value is an integer and has limit of 2,147,483,647. Note that a
limit might be imposed by Web Servers for the headers (1). The value
doesn't include the <attribute> tag.
(1)
What is the maximum size of HTTP header values?
Most web servers have their own set of size limits on HTTP request
headers. The HTTP Header values are restricted by server
implementations. The following are the limits of some of the most
popular web servers −
| Web Server | Size Limit |
|------------+------------|
| Apache | 8K |
| Nginx | 4K-8K |
| IIS | 8K-16K |
| Tomcat | 8K-48K |
https://www.tutorialspoint.com/What-is-the-maximum-size-of-HTTP-header-values