Layer7 Access Management

Expand all | Collapse all

Sending Multi-valued attributes in assertion

Jump to Best Answer
  • 1.  Sending Multi-valued attributes in assertion

    Posted 07-25-2016 11:58 AM

    Hi,

     

    I'm trying to send group memberships as part of an assertion. By default Siteminder groups all the groups in one string with a separator of '^'. However, the SP needs these groups to be separated and included in their own <AttributeValue> tags.

     

    After some research it seems like, this would do the trick. FMATTR:isMemberOf in the Attribute Value field of the assertion

     

    However, when the assertion gets generated, it doesn't put them in its own <AttributeValue> tags.

     

    It adds a CA.FM.SEP instead of the ^. Is there something else I need to do to be able to use FMATTR: function?


    <ns1:Attribute AttributeName="role" AttributeNamespace="http://schemas.microsoft.com/ws/2008/06/identity/claims"><ns1:AttributeValue>cn=Group1, ou=group c=USCA.FM.SEP

    cn=Group2, ou=group, c=USCA.FM.SEP

    cn=Group3, ou=group, c=USCA.FM.SEP

    cn=Group4, ou=group, c=USCA.FM.SEP

    cn=Group5, ou=group, c=US

    </ns1:AttributeValue>

     

    Regards,

    Anand.



  • 2.  Re: Sending Multi-valued attributes in assertion
    Best Answer

    Posted 07-25-2016 06:50 PM

    Hi Anand,

     

    The multi-valued LDAP attribute value is specified correctly and that's certainly does not look like an expected outcome.

     

    Please confirm if the values returned are truncated in any aspect or if the values are correctly returned but with an odd separator.

     

    There was a known issue pertain to value getting truncated with this odd separator append at the back. To overcome it, you can increase the MaxUserAttributeLength specified in EntitlementGenerator.properties file.

     

    Thank you.



  • 3.  Re: Sending Multi-valued attributes in assertion

    Posted 07-26-2016 12:02 PM

    Thank you wonsa03

     

    I can confirm that the whole DN is being returned, but instead of having them in different fields, I get this separator.

     

    I even tried to add this as a auth web service response and I get the same separator there as well instead of being split into their own tags.

     

    Where can I find the entitlementGenerator.properties?

     

    Regards,

    Anand.



  • 4.  Re: Sending Multi-valued attributes in assertion

    Posted 07-26-2016 12:09 PM

    Hi Anand,

     

    Please find EntitlementGenerator.properties under below location on the policy server.

    PS_HOME\config\properties

     

    Thanks,

    Sharan



  • 5.  Re: Sending Multi-valued attributes in assertion

    Posted 09-28-2016 05:00 PM

    This is finally confirmed to be a bug in r12.52 SP1 CR04. It should hopefully be fixed in the next CR patch.

     

    Regards,

    Anand.