I'm trying to send group memberships as part of an assertion. By default Siteminder groups all the groups in one string with a separator of '^'. However, the SP needs these groups to be separated and included in their own <AttributeValue> tags.
After some research it seems like, this would do the trick. FMATTR:isMemberOf in the Attribute Value field of the assertion
However, when the assertion gets generated, it doesn't put them in its own <AttributeValue> tags.
It adds a CA.FM.SEP instead of the ^. Is there something else I need to do to be able to use FMATTR: function?
<ns1:Attribute AttributeName="role" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims"><ns1:AttributeValue>cn=Group1, ou=group c=USCA.FM.SEP
cn=Group2, ou=group, c=USCA.FM.SEP
cn=Group3, ou=group, c=USCA.FM.SEP
cn=Group4, ou=group, c=USCA.FM.SEP
cn=Group5, ou=group, c=US
The multi-valued LDAP attribute value is specified correctly and that's certainly does not look like an expected outcome.
Please confirm if the values returned are truncated in any aspect or if the values are correctly returned but with an odd separator.
There was a known issue pertain to value getting truncated with this odd separator append at the back. To overcome it, you can increase the MaxUserAttributeLength specified in EntitlementGenerator.properties file.
Thank you wonsa03
I can confirm that the whole DN is being returned, but instead of having them in different fields, I get this separator.
I even tried to add this as a auth web service response and I get the same separator there as well instead of being split into their own tags.
Where can I find the entitlementGenerator.properties?
Please find EntitlementGenerator.properties under below location on the policy server.
This is finally confirmed to be a bug in r12.52 SP1 CR04. It should hopefully be fixed in the next CR patch.