Maximum size limit on SAML attribute as POST parameter.

book

Article ID: 37329

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

We'd like to know if there is a maximum limit, for length, of the SAML
attribute in Siteminder federation ?

 

Environment

 

Windows/Unix/All

 

Resolution

 

On the system where the Policy Server is installed, navigate to
policy_server_home\config\properties\EntitlementGenerator.properties. Open
the file in a text editor. Adjust the maximum user attribute length
for the protocols in use in your environment.

 - This file contains any properties required for federation.

 - This indicates the maximum attribute length that will be used for
   WS-FED, SAML1.x, and SAML2.0 assertion attributes:

    - com.netegrity.assertiongenerator.wsfed.MaxUserAttributeLength=1024

    - com.netegrity.assertiongenerator.saml1.MaxUserAttributeLength=1024

    - com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength=1024

From the product code, the value is an Integer. It has a minimum value
of -2,147,483,648 and a maximum value of 2,147,483,647

    - int bufferSize = Integer.valueOf(maxUserAttributeLength);

There is no upper limit that is set from the siteminder code. The code
only checks that the value is valid, non-0 or negative.

The default is 1024, which commonly can be increased to 4096 or more.

However, if the value is too big, the data transfer buffer can
overflow, and the default value will be used as a value.

After increasing the default UserAttributeLength value, the customer
will take the responsibility to ensure that the total size of
SAMLResponse does not exceed the HTTP buffer limit, before transmitted
SAML data gets truncated.

The buffer limit could reside on any number of third-party software
components: web browser, web server, proxy, network device, etc.