FMATTR doesn't work for User Attribute Mapped Expressions

book

Article ID: 4280

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

When generating an Assertion for Federation using a multi-valued attribute, the “FMATTR:” prefix is used to indicate that the following values should be read as a multi-lined value in the assertion, rather than printing it out as a single line of carrot (^) delineated values.

This works for most circumstances, however when combined with a user store defined expression, we see that it is printing it out as a single line of carrot (^) delineated values.

Ex:

Mail attribute setup in the user store with 3 values: [email protected], [email protected], [email protected]

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Test Case 1:

Attribute Name: MailA1:

Configured as Alias for the attribute "mail" in user store. Inputted in Federation Assertion Value as "MailA1"

 

Expected results:

Because no FMATTR prefix was included, expected a carrot (^) delinted list of the mail attribute.

 

Actual results:

<ns2:Attribute Name="MailA1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<ns2:AttributeValue>[email protected]^[email protected]^[email protected]</ns2:AttributeValue>

</ns2:Attribute>

 

Lack of FMATTR functions correctly on an alias setup in the User Store Attribute Mapping.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Test Case 2:

Attribute Name: MailA2:

Configured as Alias for the attribute "mail" in user store. Inputted in Federation Assertion Value as "FMATTR:MailA2"

 

Expected results:

Because FMATTR prefix was included, expected a list of the mail attribute with each attribute value listed as its own attribute value, rather than one single value.

 

Actual results:

<ns2:Attribute Name="MailA2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<ns2:AttributeValue>[email protected]</ns2:AttributeValue>

<ns2:AttributeValue>[email protected]</ns2:AttributeValue>

<ns2:AttributeValue>[email protected]</ns2:AttributeValue>

</ns2:Attribute>

 

Inclusion of FMATTR prefix functions correctly on an alias setup in the User Store Attribute Mapping

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Test Case 3:

Attribute Name: MailE1

Configured as Expression which prints the list as all caps for the attribute "mail" in user store. Inputted in Federation Assertion Value as "MailE1"

 

Expected results:

Because no FMATTR prefix was included, expected a carrot (^) delinted list of the mail attribute in all caps.

 

Actual results:

<ns2:Attribute Name="MailE1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<ns2:AttributeValue>[email protected]^[email protected]^[email protected]</ns2:AttributeValue>

</ns2:Attribute>

 

Lack of FMATTR functions correctly on an expression setup in the User Store Attribute Mapping.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Test Case 4:

Attribute Name: MailE2

Configured as Expression which prints the list as all caps for the attribute "mail" in user store. Inputted in Federation Assertion Value as "FMATTR:MailE2"

 

Expected results:

Because FMATTR prefix was included, expected a list of the mail attribute with each attribute value listed as its own attribute value, rather than one single value.

 

Actual results:

<ns2:Attribute Name="MailE2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<ns2:AttributeValue>[email protected]^[email protected]^[email protected]</ns2:AttributeValue>

</ns2:Attribute>

 

Inclusion of FMATTR prefix does not function correctly on an expression setup in the User Store Attribute Mapping.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Cause

Code defect

Environment

Applies to all supported environments for the specified releases. Confirmed for 12.52 SP1 up to 12.52 SP1 CR5

Resolution

Fixed in 12.6 and 12.52 SP1 CR08

Additional Information

Resolved with internal Engineering ticket DE198382