We are using a SAM2 IDP>SP partnership where CA SSO is IdP and RSD EOS is SP.
After authenticate CA SSO is sending the assertion without specifying the attribute value type but the SP needs to confirm if this type is String.
We also simulated this with OneLogin as IdP and it worked fine. Please see bellow the validation results:
Looking at the SAML responses, there is a difference in the way the User ID is passed.
CA SSO says:
<ns2:AttributeStatement>
<ns2:Attribute Name="EOSUserId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<ns2:AttributeValue>BASSETT</ns2:AttributeValue>
</ns2:Attribute>
</ns2:AttributeStatement>
While Onelogin says:
<saml:AttributeStatement>
<saml:Attribute Name="EOSUserId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">BASSETT</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
And the schema for the attribute statement says
<element name="AttributeStatement" type="saml:AttributeStatementType"/>
<complexType name="AttributeStatementType">
<complexContent>
<extension base="saml:StatementAbstractType">
<choice maxOccurs="unbounded">
<element ref="saml:Attribute"/>
<element ref="saml:EncryptedAttribute"/>
</choice>
</extension>
</complexContent>
</complexType>
<element name="Attribute" type="saml:AttributeType"/>
<complexType name="AttributeType">
<sequence>
<element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
</sequence>
<attribute name="Name" type="string" use="required"/>
<attribute name="NameFormat" type="anyURI" use="optional"/>
<attribute name="FriendlyName" type="string" use="optional"/>
<anyAttribute namespace="##other" processContents="lax"/>
</complexType>
<element name="AttributeValue" type="anyType" nillable="true"/>
<element name="EncryptedAttribute" type="saml:EncryptedElementType"/>
So the schema says "could be anything, work it out". Onelogin says "here's the userid, it's a string". CA SSO says "here's the userID, work it out".
The error message is:
"java.lang.ClassCastException: org.opensaml.core.xml.schema.impl.XSAnyImpl
cannot be cast to org.opensaml.core.xml.schema.impl.XSStringImpl",
which could be translated to "But I want a string! "
Is it possible to CA SSO indicate the attribute value type to SP?
Best Regards!
Bruno Trindade