Symantec Access Management

 View Only
Expand all | Collapse all

Multi Valued Attributes in SAML Assertion

  • 1.  Multi Valued Attributes in SAML Assertion

    Posted Aug 07, 2017 04:06 AM

    How can we fetch and send a multi-valued user attribute as separate tags in SAML Assertion ?

    I am trying to configure Assertion Attribute in Federation partnership and sending the User Attribute value from AD 'memberof' in SAML Assertion.

    It is sending the values as below now:

    <AttributeValue>
                GroupA^GroupB^GroupC^GroupD
    </AttributeValue>

     

    But I want it to be send as,

    <AttributeValue>GroupA</AttributeValue>
    <AttributeValue>GroupB</AttributeValue>
    <AttributeValue>GroupC</AttributeValue>
    <AttributeValue>GroupD</AttributeValue>

    I tried pre-fixing, FMATTR:memberof in the 'Value', but it just removed this '^' and continued sending the groups in the same string only.

    Is there any OOTB feature of SiteMinder by which we can achieve this ? or else any other suggestions ?

     

    Update: I just noticed that it is appending "CA.FM.SEP" instead of '^' after prefixing 'FMATTR'



  • 2.  Re: Multi Valued Attributes in SAML Assertion

    Posted Aug 07, 2017 05:57 AM

    I followed the below from SiteMinder Documentation, but it didn't helped.

     

    Value

    • Specifies the static value of the attribute for the Static type.
    • Specifies the value of a user attribute for a User Attribute type.

      If you add an LDAP user attribute to an assertion, you can configure an attribute with more than one value. Each value is specified as a separate <AttributeValue> element in the assertion, such as:

      <ns2:AttributeStatement> <ns2:Attribute Name="MyAttribute"

      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

      <ns2:AttributeValue>top</ns2:AttributeValue> <ns2:AttributeValue>person</ns2:AttributeValue>

      <ns2:AttributeValue>organizationalPerson</ns2:AttributeValue>

      <ns2:AttributeValue>inetorgperson</ns2:AttributeValue> </ns2:Attribute>

      </ns2:AttributeStatement>

      To indicate that a user attribute has multiple values, add the prefix FMATTR: at the beginning of the entry in this field. The prefix must be uppercase. For example, to add the user attribute LastName from an LDAP user store, enter FMATTR:LastName. The use of the prefix instructs [set the fedmgr variable for your book] how to interpret the attribute.

    • Specifies the DN attribute for the DN type.


  • 3.  Re: Multi Valued Attributes in SAML Assertion

    Posted Aug 07, 2017 08:27 AM

    Hi Anurag,

     

    There is a defect with FMATTR parameter and the fix is targeted in r12.52 SP1 CR08.

    You would need to wait for r12.52 SP1 CR08 else raise a support case for getting the devfix on your current release.

     

    Thanks,
    Sharan



  • 4.  Re: Multi Valued Attributes in SAML Assertion

    Posted Aug 07, 2017 08:55 AM

    Hi Sharan,

     

    Thanks for the info !

    I read in one of the post that increasing the MaxUserAttributeLength specified in EntitlementGenerator.properties file may help, but it didn't.

    Just wanted to check, if it is a defect in R12.6 as well or it should work there ?

     

    Regards,

    Anurag



  • 5.  Re: Multi Valued Attributes in SAML Assertion

    Posted Aug 07, 2017 03:05 PM

    Hi Anurag,

     

    I have tested with r12.6, it seems like defect is fixed in r12.6.

     

    below is the output.

    <ns2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:AttributeValue>CN=Domain Guests,CN=Users,DC=pineapple,DC=ca,DC=com</ns2:AttributeValue> <ns2:AttributeValue>CN=Domain Admins,CN=Users,DC=pineapple,DC=ca,DC=com</ns2:AttributeValue> </ns2:Attribute>

     

    Thanks,

    Sharan



  • 6.  Re: Multi Valued Attributes in SAML Assertion

    Posted Aug 08, 2017 04:08 AM

    Thanks Sharan ! It is helpful.

    I will also check in my env and update.

     

    Regards,

    Anurag



  • 7.  Re: Multi Valued Attributes in SAML Assertion

    Posted Aug 08, 2017 09:23 AM

    Same error for R12.6 Policy server version as well. Sharana



  • 8.  Re: Multi Valued Attributes in SAML Assertion

    Posted Aug 08, 2017 09:57 AM

    Hi Anurag,

     

    Below is the version of policy server which I tested and r12.7 SPS.

     

    ProductName=CA Single Sign-On Policy Server
    FullVersion=12.60.100.2406

     



  • 9.  Re: Multi Valued Attributes in SAML Assertion

    Posted Aug 08, 2017 11:09 AM

    log snippet from policy server for your reference.

     

    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SAMLSPEntitlementGenerator.java][SAMLSPEntitlementGenerator()][1d025e05-38302044-a89b4d78-97cf68c5-b4cef19e-26][][][][][][][][][][][][][][][][][][][][][Generated Entitlement List
    ][][][][][]
    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SAMLSPEntitlementGenerator.java][generateValue][1d025e05-38302044-a89b4d78-97cf68c5-b4cef19e-26][][][][][][][][][][][][][][][][][][][][][
    param1 : FMATTR:memberOf
    sessionID: null][][][][][]
    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SmAuthUser.cpp:777][GetDsUserProp][][][][][][][][][][][][][][][][][][][][][][Enter function GetDsUserProp][][][][][]
    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SmAuthUser.cpp:2249][CSmAuthUser::GetPropIndex][][][][][][][][][][][][][][][][][][][][][][Enter function CSmAuthUser::GetPropIndex][][][][][]
    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SmAuthUser.cpp:2280][GetPropIndex][][][][][][][][][][][][][][][][][][][][][][Processing Attribute [Property = FMATTR:memberOf] [Trim Property = memberOf] [Separator = CA.FM.SEP]][][][][][]
    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SmDsAliases.cpp:578][CSmDsAliases::IsSpecialAttrMapping][][][][][][][][][][][][][][][][][][][][][][Enter function CSmDsAliases::IsSpecialAttrMapping][][][][][]
    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SmDsAliases.cpp:428][CSmDsAliases::GetAttributeMapping][][][][][][][][][][][][][][][][][][][][][][Enter function CSmDsAliases::GetAttributeMapping][][][][][]
    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SmDsAliases.cpp:435][CSmDsAliases::GetAttributeMapping][][][][][][][][][][][][][0][][][][][][][][][Leave function CSmDsAliases::GetAttributeMapping][][][][][]
    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SmDsAliases.cpp:586][CSmDsAliases::IsSpecialAttrMapping][][][][][][][][][][][][][0][][][][][][][][][Leave function CSmDsAliases::IsSpecialAttrMapping][][][][][]
    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SmDsObj.cpp:94][CSmDsObj::IsValid][][][][][][][][][][][][][][][][][][][][][][Start of call IsValid.][][][][][]
    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SmDsObj.cpp:96][CSmDsObj::IsValid][][][][][][][][][][][][][1][][][][][][][][][Return from call IsValid.][][][][][]
    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SmDsAliases.cpp:554][CSmDsAliases::GetAttributeNameFromAlias][][][][][][][][][][][][][][][][][][][][][][Enter function CSmDsAliases::GetAttributeNameFromAlias][][][][][]
    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SmDsAliases.cpp:428][CSmDsAliases::GetAttributeMapping][][][][][][][][][][][][][][][][][][][][][][Enter function CSmDsAliases::GetAttributeMapping][][][][][]
    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SmDsAliases.cpp:435][CSmDsAliases::GetAttributeMapping][][][][][][][][][][][][][0][][][][][][][][][Leave function CSmDsAliases::GetAttributeMapping][][][][][]
    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SmDsAliases.cpp:559][CSmDsAliases::GetAttributeNameFromAlias][][][][][][][][][][][][][1][][][][][][][][][Leave function CSmDsAliases::GetAttributeNameFromAlias][][][][][]
    [08/08/2017][19:44:18.990][19:44:18][1444][2820][SmDsUser.cpp:485][CSmDsUser::GetProp][][][][][][][][][][][][][][][][][][][PropName 'memberOf' for user 'CN=sk nayak,CN=Users,DC=pineapple,DC=ca,DC=com' in dir 'pineapple'][][][Start of call GetUserProp.][][][][][]
    [08/08/2017][19:44:19.037][19:44:19][1444][2964][CSmDbConnection.cpp:174][CSmDbConnection::MakeActive][][][][][][][][][][][][][][][][][][][][][][Activate connection.][][][][][]
    [08/08/2017][19:44:19.037][19:44:19][1444][2964][CSmDbUtilities.cpp:806][CSmDbMonitoredClass::SetState][][][][][][][][][][][][][][][][][][][][][][Connection CA SiteMinder DSN: Changing object state 'Available' to state 'Active'.][][][][][]
    [08/08/2017][19:44:19.037][19:44:19][1444][2964][CSmDbConnection.cpp:200][CSmDbConnection::MakeInactive][][][][][][][][][][][][][][][][][][][][][][Inactivate connection.][][][][][]
    [08/08/2017][19:44:19.037][19:44:19][1444][2964][CSmDbUtilities.cpp:806][CSmDbMonitoredClass::SetState][][][][][][][][][][][][][][][][][][][][][][Connection CA SiteMinder DSN: Changing object state 'Active' to state 'Available'.][][][][][]
    [08/08/2017][19:44:19.224][19:44:19][1444][2820][SmDsLdapConnMgr.cpp:1218][CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][][][][][][][][][LDAP search of memberOf=* took 0 seconds and 234392 microseconds][][][][][]
    [08/08/2017][19:44:19.224][19:44:19][1444][2820][SmDsUser.cpp:487][CSmDsUser::GetProp][][][][][][][][][][][][][1][][][][][][][][][Return from call GetUserProp.][][][][][]
    [08/08/2017][19:44:19.224][19:44:19][1444][2820][SmDsUser.cpp:495][GetProp][][][][][][][][][][][][][][][][][][][][][][Property 'memberOf' for user 'CN=sk nayak,CN=Users,DC=pineapple,DC=ca,DC=com' added to cache][][][][][]
    [08/08/2017][19:44:19.224][19:44:19][1444][2820][SmAuthUser.cpp:2581][CSmAuthUser::GetPropIndex][][][][][][][][][][][][][true][][][][][][][][][Leave function CSmAuthUser::GetPropIndex][][][][][]
    [08/08/2017][19:44:19.224][19:44:19][1444][2820][SmAuthUser.cpp:805][GetDsUserProp][][][][][][][][][][][][][111][][][][][][][][][Leave function GetDsUserProp][][][][][]
    [08/08/2017][19:44:19.224][19:44:19][1444][2820][SAMLSPEntitlementGenerator.java][generateValue][1d025e05-38302044-a89b4d78-97cf68c5-b4cef19e-26][][][][][][][][][][][][][][][][][][][][][Entitlement: NameAttrFormat = unspecified, Encrypt = false, Mode = User, Groups = NOT PRINTABLE][][][][][]
    [08/08/2017][19:44:19.224][19:44:19][1444][2820][AuthnRequestProtocol.java][generateAttributeStatement][1d025e05-38302044-a89b4d78-97cf68c5-b4cef19e-26][][][][][][][][][][][][][][][][][][][][][Generating SAML Assertion AttributeStatement...][][][][][]
    [08/08/2017][19:44:19.224][19:44:19][1444][2820][AuthnRequestProtocol.java][processAttributes][1d025e05-38302044-a89b4d78-97cf68c5-b4cef19e-26][][][][][][][][][][][][][][][][][][][][][Raw Value: CN=Domain Guests,CN=Users,DC=pineapple,DC=ca,DC=comCA.FM.SEPCN=Domain Admins,CN=Users,DC=pineapple,DC=ca,DC=com][][][][][]
    [08/08/2017][19:44:19.224][19:44:19][1444][2820][AuthnRequestProtocol.java][generateAttributeStatement][1d025e05-38302044-a89b4d78-97cf68c5-b4cef19e-26][][][][][][][][][][][][][][][][][][][][][Require to Encrypt Attribute: false][][][][][]

     

    <ns2:AttributeStatement>
    <ns2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:AttributeValue>CN=Domain Guests,CN=Users,DC=pineapple,DC=ca,DC=com</ns2:AttributeValue>
    <ns2:AttributeValue>CN=Domain Admins,CN=Users,DC=pineapple,DC=ca,DC=com</ns2:AttributeValue>
    </ns2:Attribute>
    </ns2:AttributeStatement>

     

    Thanks,

    Sharan



  • 10.  Re: Multi Valued Attributes in SAML Assertion

    Posted Aug 10, 2017 02:18 AM

    Same policy server version (Full Version) I am also using to test, but the SPS is R12.52.

    Is the SPS version a reason for it to be not working ?

    Please let me know and then accordingly I will proceed to open a CA ticket.

     

    Regards,

    Anurag



  • 11.  Re: Multi Valued Attributes in SAML Assertion

    Posted Aug 10, 2017 10:12 AM

    Hi Anurag,

     

    I will test with r12.52 SPS and let you know the results.

     

    Thanks,
    Sharan



  • 12.  Re: Multi Valued Attributes in SAML Assertion

    Posted Aug 10, 2017 10:16 AM

    Thank you ! Sharan,

     

    Please note that my test is based on SAML 1.1 Federation Partnership.

    I additionally suspect if it something specific to SAML 1.1 assertion handling ?

     

    Regards,

    Anurag



  • 13.  Re: Multi Valued Attributes in SAML Assertion

    Posted Aug 10, 2017 10:23 AM

    I tested with saml2.0.

    I will test with saml 1.1 and let you the results.

    But please confirm that you are using SAML 1.1 producer/consumer OR WSFED IP/RP ?

     

    Thanks,

    Sharan



  • 14.  Re: Multi Valued Attributes in SAML Assertion

    Posted Aug 10, 2017 10:23 AM

    It is SAML 1.1 producer/consumer



  • 15.  Re: Multi Valued Attributes in SAML Assertion

    Posted Aug 10, 2017 10:45 AM

    Sure!.

    I will test it and let you know the results.

     

    Thanks,

    Sharan



  • 16.  Re: Multi Valued Attributes in SAML Assertion

    Posted Aug 11, 2017 06:37 AM

    Hi Sharan,

     

    I just tested with SAML 2.0 , SPS 12.52 and PS 12.6 and FMATTR works.

    So this looks like to be something specific to SAML 1.1.

    Could you please verify and confirm.

    Is there a fix or workaround available ?

     

    Regards,

    Anurag



  • 17.  Re: Multi Valued Attributes in SAML Assertion
    Best Answer

    Posted Aug 11, 2017 11:48 AM

    I have tested with saml 1.1 profile and able to replicate the issue. It seems like defect is not fixed in r12.6 as well.

    <saml:Attribute AttributeName="Groups" AttributeNamespace="group">
    <saml:AttributeValue>CN=Domain Guests,CN=Users,DC=pineapple,DC=ca,DC=comCA.FM.SEPCN=Domain Admins,CN=Users,DC=pineapple,DC=ca,DC=com</saml:AttributeValue>

    </saml:Attribute> 

     

    As of now, They have targeted the fix in r12.52 SP1 CR08 and I will update engineering team about the defect in r12.6.

     

    Thanks,

    Sharan



  • 18.  Re: Multi Valued Attributes in SAML Assertion

    Posted Jul 10, 2018 08:59 PM

    I was suggested by CA support to look at this thread for a similar issue we are facing. If we are developing a custom Assertion Generator plugin, how should the UserAttributes hashmap be populated? Could we set value of the multi-value key as a ArrayList so that Siteminder knows it is multiple values?