Layer 7 Access Management

Expand all | Collapse all

How to force SSO specify attribute value type in SAML Response

Jump to Best Answer
  • 1.  How to force SSO specify attribute value type in SAML Response

    Posted 07-02-2019 05:15 PM
    Edited by Bruno Cesar Trindade 07-02-2019 05:16 PM


    We are using a SAM2 IDP>SP partnership where CA SSO is IdP and RSD EOS is SP.
    After authenticate CA SSO is sending the assertion without specifying the attribute value type but the SP needs to confirm if this type is String.

    We also simulated this with OneLogin as IdP and it worked fine. Please see bellow the validation results:

    Looking at the SAML responses, there is a difference in the way the User ID is passed.

    CA SSO says:

    <ns2:AttributeStatement>

                    <ns2:Attribute Name="EOSUserId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                                    <ns2:AttributeValue>BASSETT</ns2:AttributeValue>

                    </ns2:Attribute>  

    </ns2:AttributeStatement> 

    While Onelogin says:

    <saml:AttributeStatement>

                    <saml:Attribute Name="EOSUserId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                                    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">BASSETT</saml:AttributeValue>

                    </saml:Attribute>

    </saml:AttributeStatement>

     

    And the schema for the attribute statement says

    <element name="AttributeStatement" type="saml:AttributeStatementType"/>

    <complexType name="AttributeStatementType">

                    <complexContent>

                                    <extension base="saml:StatementAbstractType">

                                                    <choice maxOccurs="unbounded">

                                                                    <element ref="saml:Attribute"/>

                                                                    <element ref="saml:EncryptedAttribute"/>

                                                    </choice>

                                    </extension>

                    </complexContent>

    </complexType>

    <element name="Attribute" type="saml:AttributeType"/>

    <complexType name="AttributeType">

                    <sequence>

                                    <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>

                    </sequence>

                    <attribute name="Name" type="string" use="required"/>

                    <attribute name="NameFormat" type="anyURI" use="optional"/>

                    <attribute name="FriendlyName" type="string" use="optional"/>

                    <anyAttribute namespace="##other" processContents="lax"/>

    </complexType>

    <element name="AttributeValue" type="anyType" nillable="true"/>

    <element name="EncryptedAttribute" type="saml:EncryptedElementType"/>


    So the schema says "could be anything, work it out". Onelogin says "here's the userid, it's a string". CA SSO says "here's the userID, work it out".

    The error message is: 
    "java.lang.ClassCastException: org.opensaml.core.xml.schema.impl.XSAnyImpl
    cannot be cast to org.opensaml.core.xml.schema.impl.XSStringImpl",
    which could be translated to "But I want a string! "

    Is it possible to CA SSO indicate the attribute value type to SP?

    Best Regards!
    Bruno Trindade



  • 2.  RE: How to force SSO specify attribute value type in SAML Response
    Best Answer

    Posted 07-03-2019 03:13 AM
    Hi Bruno,

    It seems we can specify the Type of the attribute as optional.

    saml-dev message
    https://lists.oasis-open.org/archives/saml-dev/201106/msg00000.html

    As such, we offer the possibility to configure the attribute type here :

    Specify Attributes for SSO Assertions

    3. From the Attribute Type drop-down list, select the name format
    type. This entry must match the <NameFormat> attribute in the
    <Attribute> element of an assertion attribute statement. The type
    classifies the attribute name so that the Service Provider can
    interpret the name.

    The options are:

    unspecified

    Determines how the name interpretation is left to your
    implementation.

    basic

    Indicates that the name format must use acceptable values. The
    acceptable values are from the values belonging to the primitive
    type xs:Name.

    URI

    Indicates that the name format must follow the standards for a URI
    reference. How the URI is interpreted is specific to the
    application using the attribute value.

    https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/legacy-federation/configure-a-saml-2-0-identity-provider/optional-configure-attributes-for-assertions

    So said, if you set "unspecified" let the SP to accept the type
    xsd:anyType and interprete it as it needs :

    Difference/similarities between xsd:any and xsd:anyType
    https://stackoverflow.com/questions/5389076/difference-similarities-between-xsdany-and-xsdanytype

    You probably have to make the SP side to accept that type.

    I hope this helps,

    Best Regards,
    Patrick