search cancel

Maximum size limit on SAML attribute as POST parameter in Federation

book

Article ID: 37329

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

Is there a maximum limit, for the length, of the SAML attribute in the Siteminder federation?

 

Environment

 

Windows/Unix/All

 

Resolution

 

On the system where the Policy Server is installed, navigate to policy_server_home\config\properties\EntitlementGenerator.properties.

Open the file in a text editor.

Adjust the maximum user attribute length for the protocols in use in your environment.

  • This file contains any properties required for the federation.
  • This indicates the maximum attribute length that will be used for WS-FED, SAML1.x, and SAML2.0 assertion attributes:
    • com.netegrity.assertiongenerator.wsfed.MaxUserAttributeLength=1024
    • com.netegrity.assertiongenerator.saml1.MaxUserAttributeLength=1024
    • com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength=1024

From the product code, the value is an Integer. It has a minimum value of -2,147,483,648 and a maximum value of 2,147,483,647

  • int bufferSize = Integer.valueOf(maxUserAttributeLength);


There is no upper limit that is set by the SiteMinder code. The code only checks that the value is valid, non-0, or negative.

The default is 1024, which commonly can be increased to 4096 or more.

However, if the value is too big, the data transfer buffer can overflow, and the default value will be used as a value.

After increasing the default UserAttributeLength value, ensure that the total size of SAMLResponse does not exceed the HTTP buffer limit before transmitted SAML data gets truncated.

The buffer limit could reside on any number of third-party software components: web browser, web server, proxy, network device, etc.