Idea ID: 2871281

IDP "Attribute Sets" should be able to add the same LDAP attribute more than once

Status : Accepted
22 days ago

IDP cluster --> Shared Settings --> Attribute Sets

Today, when creating or modifying an Attribute Set for use with SAML, WsFed, etc, after you select a Local Attribute to include in the Set, this filters that same Local Attribute (LDAP or otherwise) from being selected again within that same Set.

We have approximately 200 SAML federations declared. It's unfortunately not uncommon for various SAML SP partners to require the same LDAP attribute to be sent multiple ways in the same SAML Assertion via different mapped "Remote Attribute" names.

I'm fully aware of the virtual attribute feature, but that's a more heavy-handed approach which, for this simple use-case, should be unnecessary. I don't need to transform the value. I just need to send the LDAP Attribute's value more than once under different "Remote Attribute" mapped names.

NAM's Admin Console UI should eliminate the unnecessary UI restriction that filters out an already selected attribute from the Local Attribute list after it's been selected a single time.

Labels:

Configuration
Other