Symantec Access Management

We are using a SAM2 IDP>SP partnership where CA SSO is IdP and RSD EOS is SP.
After authenticate CA SSO is sending the assertion without specifying the attribute value type but the SP needs to confirm if this type is String.

We also simulated this with OneLogin as IdP and it worked fine. Please see bellow the validation results:

Looking at the SAML responses, there is a difference in the way the User ID is passed.

CA SSO says:

<ns2:AttributeStatement>

                <ns2:Attribute Name="EOSUserId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                                <ns2:AttributeValue>BASSETT</ns2:AttributeValue>

                </ns2:Attribute>  

</ns2:AttributeStatement> 

While Onelogin says:

<saml:AttributeStatement>

                <saml:Attribute Name="EOSUserId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                                <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">BASSETT</saml:AttributeValue>

                </saml:Attribute>

</saml:AttributeStatement>

 

And the schema for the attribute statement says

<element name="AttributeStatement" type="saml:AttributeStatementType"/>

<complexType name="AttributeStatementType">

                <complexContent>

                                <extension base="saml:StatementAbstractType">

                                                <choice maxOccurs="unbounded">

                                                                <element ref="saml:Attribute"/>

                                                                <element ref="saml:EncryptedAttribute"/>

                                                </choice>

                                </extension>

                </complexContent>

</complexType>

<element name="Attribute" type="saml:AttributeType"/>

<complexType name="AttributeType">

                <sequence>

                                <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>

                </sequence>

                <attribute name="Name" type="string" use="required"/>

                <attribute name="NameFormat" type="anyURI" use="optional"/>

                <attribute name="FriendlyName" type="string" use="optional"/>

                <anyAttribute namespace="##other" processContents="lax"/>

</complexType>

<element name="AttributeValue" type="anyType" nillable="true"/>

<element name="EncryptedAttribute" type="saml:EncryptedElementType"/>

So the schema says "could be anything, work it out". Onelogin says "here's the userid, it's a string". CA SSO says "here's the userID, work it out".

The error message is: 
"java.lang.ClassCastException: org.opensaml.core.xml.schema.impl.XSAnyImpl
cannot be cast to org.opensaml.core.xml.schema.impl.XSStringImpl",
which could be translated to "But I want a string! "

Is it possible to CA SSO indicate the attribute value type to SP?

Best Regards!
Bruno Trindade

Hi Bruno,

It seems we can specify the Type of the attribute as optional.

saml-dev message
https://lists.oasis-open.org/archives/saml-dev/201106/msg00000.html

As such, we offer the possibility to configure the attribute type here :

Specify Attributes for SSO Assertions

3. From the Attribute Type drop-down list, select the name format
type. This entry must match the <NameFormat> attribute in the
<Attribute> element of an assertion attribute statement. The type
classifies the attribute name so that the Service Provider can
interpret the name.

The options are:

unspecified

Determines how the name interpretation is left to your
implementation.

basic

Indicates that the name format must use acceptable values. The
acceptable values are from the values belonging to the primitive
type xs:Name.

URI

Indicates that the name format must follow the standards for a URI
reference. How the URI is interpreted is specific to the
application using the attribute value.

https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/legacy-federation/configure-a-saml-2-0-identity-provider/optional-configure-attributes-for-assertions

So said, if you set "unspecified" let the SP to accept the type
xsd:anyType and interprete it as it needs :

Difference/similarities between xsd:any and xsd:anyType
https://stackoverflow.com/questions/5389076/difference-similarities-between-xsdany-and-xsdanytype

You probably have to make the SP side to accept that type.

I hope this helps,

Best Regards,
Patrick
Original Message:
Sent: 07-02-2019 05:14 PM
From: Bruno Cesar Trindade
Subject: How to force SSO specify attribute value type in SAML Response

We are using a SAM2 IDP>SP partnership where CA SSO is IdP and RSD EOS is SP.
After authenticate CA SSO is sending the assertion without specifying the attribute value type but the SP needs to confirm if this type is String.

We also simulated this with OneLogin as IdP and it worked fine. Please see bellow the validation results:

Looking at the SAML responses, there is a difference in the way the User ID is passed.

CA SSO says:

<ns2:AttributeStatement>

                <ns2:Attribute Name="EOSUserId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                                <ns2:AttributeValue>BASSETT</ns2:AttributeValue>

                </ns2:Attribute>  

</ns2:AttributeStatement> 

While Onelogin says:

<saml:AttributeStatement>

                <saml:Attribute Name="EOSUserId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

                                <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">BASSETT</saml:AttributeValue>

                </saml:Attribute>

</saml:AttributeStatement>

 

And the schema for the attribute statement says

<element name="AttributeStatement" type="saml:AttributeStatementType"/>

<complexType name="AttributeStatementType">

                <complexContent>

                                <extension base="saml:StatementAbstractType">

                                                <choice maxOccurs="unbounded">

                                                                <element ref="saml:Attribute"/>

                                                                <element ref="saml:EncryptedAttribute"/>

                                                </choice>

                                </extension>

                </complexContent>

</complexType>

<element name="Attribute" type="saml:AttributeType"/>

<complexType name="AttributeType">

                <sequence>

                                <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>

                </sequence>

                <attribute name="Name" type="string" use="required"/>

                <attribute name="NameFormat" type="anyURI" use="optional"/>

                <attribute name="FriendlyName" type="string" use="optional"/>

                <anyAttribute namespace="##other" processContents="lax"/>

</complexType>

<element name="AttributeValue" type="anyType" nillable="true"/>

<element name="EncryptedAttribute" type="saml:EncryptedElementType"/>

So the schema says "could be anything, work it out". Onelogin says "here's the userid, it's a string". CA SSO says "here's the userID, work it out".

The error message is: 
"java.lang.ClassCastException: org.opensaml.core.xml.schema.impl.XSAnyImpl
cannot be cast to org.opensaml.core.xml.schema.impl.XSStringImpl",
which could be translated to "But I want a string! "

Is it possible to CA SSO indicate the attribute value type to SP?

Best Regards!
Bruno Trindade