How to generate multivalued attribute SAML2 assertion using WSO2 Identity Server 5.3?

Question

I'm using WSO2 Identity Server 5.3

I have to produce a SAML2 assertion with some multivalued attributes from the user profile.

Let's say I have a comma separated list of values for a particular claim and I must organize those attributes using the following structure in my saml assertion response:

<saml2:Attribute Name="attribute1">
    <saml2:AttributeValue>value1</saml2:AttributeValue>
    <saml2:AttributeValue>value2</saml2:AttributeValue>
    <saml2:AttributeValue>value3</saml2:AttributeValue>
    <saml2:AttributeValue>value4</saml2:AttributeValue>
</saml2:Attribute>

I configured an STS client to get SAML2 assertion and claims from a particular user which I setup with a multivalued claim.

My issue is I get the SAML assertion response as the following structure:

<saml2:Attribute Name="attribute1">
    <saml2:AttributeValue>value1,value2,value3,value4</saml2:AttributeValue>
 </saml2:Attribute>

I setup an instance of the travelocity application on a tomcat, tested again and I got the SAML assertion as expected after login to the application and choosing the SAML flow. I could verify it looking at the log file of the Identity Server.

I used the STS client [1] as well to get the SAML assertion but what I got when it comes to a multivalued attribute is a comma separated values for that particular attribute.

I went directly towards the admin service https://localhost:9443/services/wso2carbon-sts?wsdl using SOAP UI as my client but SAML response was the exact same case as I stated before, multivalued attribute comes as a comma separated values for that particular attribute.

Here is a sample of what I get in the Attribute Statement section:

<saml2:AttributeStatement>
    <saml2:Attribute Name="http://wso2.org/claims/im" NameFormat="http://wso2.org/claims/im">
        <saml2:AttributeValue
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jairo_fernandezr,jb_fernandez
        </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="http://wso2.org/claims/emailaddress" NameFormat="http://wso2.org/claims/emailaddress">
        <saml2:AttributeValue
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[email protected]
        </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="http://wso2.org/claims/givenname" NameFormat="http://wso2.org/claims/givenname">
        <saml2:AttributeValue
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Jairo
        </saml2:AttributeValue>
    </saml2:Attribute>
</saml2:AttributeStatement>

Now, I would like to ask you if there is another way to get a SAML assertion with multivalued attributes structured as single values instead of a comma separated values using the admin service https://localhost:9443/services/wso2carbon-sts?wsdl or another approach without setting up the travelocity application.

[1] https://github.com/wso2/product-is/tree/5.x.x/modules/samples/sts

Any comment will be greatly appreciated.

Thanks

Indeed using separated values is the default way how the wso2is handles the multi-value attributes. I believe you could implement your own class that creates the saml response (overwrite the method creating attributes from claims) and configure it in the api-manager.xml (I don't remember the interface exactly, I may check once I get to my office on Monday) . next thing you'd need to overwrite is your own claim handler (that's the class creating key/value map for claims) however I would check how the signature would work with your own implementation.. — gusto2
I have an external LDAP as the primary user store and also I have an AD as a secondary user store. — Jairo FERNANDEZ

Jairo FERNANDEZ Jairo FERNANDEZ · Accepted Answer · 2017-10-14T16:34:19

WSO2 Identity server 5.3.0 behaves correctly when it comes to the Web SAML SSO flow.

But the service wso2carbon-sts which can be found by default at https://localhost:9443/services/wso2carbon-sts behaves differently as I described in my original post.

I have made a report of this to the WSO2 team and they registered a bug in Identity Server's project, you can see details here and follow up this if you are interested.

Thanks for your support

How to generate multivalued attribute SAML2 assertion using WSO2 Identity Server 5.3?

1 Answers