Maximum size limit on SAML attribute as POST parameter.


Article ID: 37329


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



SAML attribute Length in federation transaction.


Is there a maximum limit, for length, of the SAML attribute in Siteminder federation?




On the system where the Policy Server is installed, navigate to policy_server_home\config\properties\ Open the file in a text editor. Adjust the maximum user attribute length for the protocols in use in your environment.

 . This file contains any properties required for federation.

 . This indicates the maximum attribute length that will be used for WS-FED, SAML1.x, and SAML2.0 assertion attributes:

    . com.netegrity.assertiongenerator.wsfed.MaxUserAttributeLength=1024

    . com.netegrity.assertiongenerator.saml1.MaxUserAttributeLength=1024

    . com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength=1024

From the product code, the value is an Integer. It has a minimum value of -2,147,483,648 and a maximum value of 2,147,483,647

    . int bufferSize = Integer.valueOf(maxUserAttributeLength);

There is no upper limit that is set from the siteminder code. The code only checks that the value is valid, non-0 or negative. 

The default is 1024, which commonly can be increased to 4096 or more.

However, if the value is too big, the data transfer buffer can overflow, and the default value will be used as a value.

After increasing the default UserAttributeLength value, the customer will take the responsibility to ensure that the total size of SAMLResponse does not exceed the HTTP buffer limit, before transmitted SAML data gets truncated.

The buffer limit could reside on any number of third-party software components: web browser, web server, proxy, network device, etc.

Additional Information:





Component: SMFSS