WSO2 IS as a bridge, email address claim lost

0
votes

I have WSO2 IS set up as a bridge to provide a SAML IdP for our WS-Federation IP. Upon authenticating, the WS-Federation IP sends a SAML assertion containing various attributes including one with the name of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. WSO2's SAML assertion has all of those attributes exactly as is with the exception that the emailaddress claim is missing.

I am using the default claim mappings, the service provider has Enable Attribute Profile, Include Attributes in the Response Always, and using version 5.3.0, on Windows.

1
wso2is
Can you share the claim configuration of your Service Provider?farasath
I'm using default. Other standard claims, like schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname, are passed through, as well as custom claims, like mydomain/identity/myclaim. The Claim Configuration panel has 'Use Local Claim Dialect' selected, no Requested Claims added, and no Subject Claim URI selected. In the shcemas.xmlsoap.org/ws/2005/05/identity claim dialect settings, givenname, which is passed through correctly, is mapped to wso2.org/claims/givenname, while emailaddress, which is being filtered out, is mapped to wso2.org/claims/emailaddress.TheJayMann

1 Answers

0
votes

I believe I have found the problem. WSO2 apparently does not like to receive multiple values for an attribute, and, when it does, it only accepts the last value for the attribute. Also, if the value happens to be blank, WSO2 will remove the item. In the SAML Assertion from our WS-Federation IP, the email address attribute was being set as:

<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
    <AttributeValue>email@address</AttributeValue>
    <AttributeValue/>
</Attribute>

Because WSO2 does not appear to support multiple values for attributes, it keeps the last one only, and, because it is blank, it removes the attribute. When I modified the data of the test user to have two email addresses, the last email address listed was passed through.