Symantec Access Management

In order to accommodate the large number of groups our users are in, when we implemented the SharePoint Agent, we had to increase the default value of MaxUserAttributeLength in the wsfed.properties file on the policy servers. Would this setting also apply to SAML assertions generated by Federation agents using the same policy servers?

brodginskicc

What version of SiteMinder is being used?

The reason I ask this is because when SharePointAgent Program was delivered on early R12SP3 during that time; WSFED code logic used to look at wsfed.properties file. This file was used only for WSFED journey's.

However a change was introduced in SiteMinder (starting R12 SP3 CR10) we have a different properties file called EntitlementGenerator.properties; this properties file is applicable for all Protocols.

#################################################

Default values for user assertion attribute length in EntitlementGenerator.properties are provided as follows: 

      For WS-FED:

Property name      : com.netegrity.assertiongenerator.wsfed.MaxUserAttributeLength

Property Type       : integer

Default value        : 1024

      For SAML1.1:

Property name      : com.netegrity.assertiongenerator.saml1.MaxUserAttributeLength

Property Type       : integer

Default value        : 1024

      For SAML2.0:

Property name      : com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength

Property Type       : integer

Default value        : 1024

If user configures a value < 0 or value = 0 for any of the above attributes, then default value of 1024 will be used.

####################################################

I would recommend you test these value properly and carefully. As I am unsure what version is being used on your end.

Hope this helps!

Regards

Hubert

Our policy servers are 12.0 SP3 CR12. We do not want our assertions generated for SAML to use this setting. It’s only needed for our  SharePoint users Sounds like what you are saying is, if we leave the value in the wsfed.prodperties file, we are getting what we want. Is that correct?

brodginskicc

Yes as long as it works with wsfed.properties in the current release it is good. Hence you are all set from SharePoint SSO perspective in R12 SP3 CR09. From R12 SP3 CR10 onwards use EntitlementGenerator.properties.

Until R12SP3CR09 wsfed.properties is used.

Post R12SP3CR10 wsfed.properties is ignored and only EntitlementGenerator.properties is honored.

The crux is only one of the properties file is honored, not both (wsfed.properties is the older way and EntitlementGenerator.properties is future).

However if it does stop working using wsfed.properties in latest release when you upgrade e.g. the product does not ship or use wsfed.properties anymore - in such an event you do have a fall back alternative to use EntitlementGenerator.properties.

Agent for SharePoint Integrated Documents

SNIP>

Different File Location for Fixing Truncated Attributes in SharePoint

The Agent for SharePoint uses the MaxUserAttributeLength setting to control the length of the attributes displayed in SharePoint.

For 12.0.3 and 12.5.0, this setting was in the following file:

policy_server_home\config\properties\wsfed.properties  

For 12.5.1, the MaxUserAttributeLength is located in a different file:

policy_server_home\config\properties\EntitlementGenerator.properties  

Update the MaxUserAttributeLength setting in the EntitlementGenerator.properties file so that it matches the one that you used in the older version of the Agent for SharePoint.

<SNIP

Hope this helps and if it helped resolved the query; kindly mark the thread closed.

Regards

Hubert