When generating an Assertion for Federation using a multi-valued attribute, the “FMATTR:” prefix is used to indicate that the following values should be read as a multi-lined value in the assertion, rather than printing it out as a single line of carrot (^) delineated values.

This works for most circumstances, however when combined with a user store defined expression, we see that it is printing it out as a single line of carrot (^) delineated values.

Ex:

Mail attribute setup in the user store with 3 values: [email protected], [email protected], [email protected]

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Test Case 1:

Attribute Name: MailA1:

Configured as Alias for the attribute "mail" in user store. Inputted in Federation Assertion Value as "MailA1"

Expected results:

Because no FMATTR prefix was included, expected a carrot (^) delinted list of the mail attribute.

Actual results:

<ns2:Attribute Name="MailA1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<ns2:AttributeValue>[email protected]^[email protected]^[email protected]</ns2:AttributeValue>

</ns2:Attribute>

Lack of FMATTR functions correctly on an alias setup in the User Store Attribute Mapping.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Test Case 2:

Attribute Name: MailA2:

Configured as Alias for the attribute "mail" in user store. Inputted in Federation Assertion Value as "FMATTR:MailA2"

Expected results:

Because FMATTR prefix was included, expected a list of the mail attribute with each attribute value listed as its own attribute value, rather than one single value.

Actual results:

<ns2:Attribute Name="MailA2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<ns2:AttributeValue>[email protected]</ns2:AttributeValue>

<ns2:AttributeValue>[email protected]</ns2:AttributeValue>

<ns2:AttributeValue>[email protected]</ns2:AttributeValue>

</ns2:Attribute>

Inclusion of FMATTR prefix functions correctly on an alias setup in the User Store Attribute Mapping

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Test Case 3:

Attribute Name: MailE1

Configured as Expression which prints the list as all caps for the attribute "mail" in user store. Inputted in Federation Assertion Value as "MailE1"

Expected results:

Because no FMATTR prefix was included, expected a carrot (^) delinted list of the mail attribute in all caps.

Actual results:

<ns2:Attribute Name="MailE1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<ns2:AttributeValue>[email protected]^[email protected]^[email protected]</ns2:AttributeValue>

</ns2:Attribute>

Lack of FMATTR functions correctly on an expression setup in the User Store Attribute Mapping.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Test Case 4:

Attribute Name: MailE2

Configured as Expression which prints the list as all caps for the attribute "mail" in user store. Inputted in Federation Assertion Value as "FMATTR:MailE2"

Expected results:

Because FMATTR prefix was included, expected a list of the mail attribute with each attribute value listed as its own attribute value, rather than one single value.

Actual results:

<ns2:Attribute Name="MailE2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<ns2:AttributeValue>[email protected]^[email protected]^[email protected]</ns2:AttributeValue>

</ns2:Attribute>

Inclusion of FMATTR prefix does not function correctly on an expression setup in the User Store Attribute Mapping.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Code defect

Fixed in 12.6 and 12.52 SP1 CR08

Resolved with internal Engineering ticket DE198382