Highlighted
Haas Trusted Contributor.
Trusted Contributor.
232 views

Half of saml attributes are not passing through to sp

Jump to solution

Based on the SP requirements, we have about a dozen attributes being added to the "attribute sets". During my testing, I can see only half a dozen passed through in SAMLRespnse.

Used the saml tracer and all I can observe is the half a dozen attributes and nothing else.

Is there a limit in AM on how many attributes can be passed? I assumed that you can have as many attributes as you need.

Did anyone encounter this case?

0 Likes
1 Solution

Accepted Solutions
ericveysey Trusted Contributor.
Trusted Contributor.

Re: Half of saml attributes are not passing through to sp

Jump to solution

I'm not aware of any limit. I'm successfully sending more than 6.  One of our attribute sets is 46 attributes , we usually send around 8-14 attributes in the assertion. The others are unvalued for some reason or another. 

Are all these attributes in the same user store? I've only seen this when you say Kerb into AD and then you have those eDirectory attributes. 

0 Likes
6 Replies
Micro Focus Contributor
Micro Focus Contributor

Re: Half of saml attributes are not passing through to sp

Jump to solution

Your referring to the attributes in the SAML connector?

 

0 Likes
Haas Trusted Contributor.
Trusted Contributor.

Re: Half of saml attributes are not passing through to sp

Jump to solution

Yes, it's where we add the attributes to be sent thru the assertion to the service provider.

saml-attributes.png

0 Likes
ericveysey Trusted Contributor.
Trusted Contributor.

Re: Half of saml attributes are not passing through to sp

Jump to solution

I'm not aware of any limit. I'm successfully sending more than 6.  One of our attribute sets is 46 attributes , we usually send around 8-14 attributes in the assertion. The others are unvalued for some reason or another. 

Are all these attributes in the same user store? I've only seen this when you say Kerb into AD and then you have those eDirectory attributes. 

0 Likes
Haas Trusted Contributor.
Trusted Contributor.

Re: Half of saml attributes are not passing through to sp

Jump to solution

I guess my next question would be how do I troubleshoot this issue (the missing attributes that are not being passed to the SP)?

Are there any other tools we can use to troubleshoot this issue? I used saml trace but it was not helpful in locating the root cause of the issue.

Cheers

0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: Half of saml attributes are not passing through to sp

Jump to solution

There is no limit on number of attributes in a SAML Resposne. To troubleshoot the issue you can do the following:

Identify the type of attributes you are using :

a. custom attribute

b. LDAP user attribute

c. virtual attribute

1. Logs -> You need to enable the IDP logging (Application, SAML2, WSC,  WSC in debug mode). IDP's catalina.out will have the information on attribute sets and all attributes under that.

(search for "Looking for attribute" )

2. LDAP Trace: An LDAP trace on edir user store will also provide idea whether a particular attribute is requested or not

3. TCPDUMP: You need to have private key to decrypt the traffic or User Store must be running on non-ssl(389) port.

feel free to open a service request to involve support.

 

0 Likes
Haas Trusted Contributor.
Trusted Contributor.

Re: Half of saml attributes are not passing through to sp

Jump to solution

Sorry for the delay.

After doing more testing and digging into the attributes and what roles these attributes are associated with, it was determined that the attributes would pass through to the service provider (SP) based on what role that user has in the user store.

Cheers

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.