Highlighted
Commander
Commander
720 views

Half of saml attributes are not passing through to sp

Jump to solution

Based on the SP requirements, we have about a dozen attributes being added to the "attribute sets". During my testing, I can see only half a dozen passed through in SAMLRespnse.

Used the saml tracer and all I can observe is the half a dozen attributes and nothing else.

Is there a limit in AM on how many attributes can be passed? I assumed that you can have as many attributes as you need.

Did anyone encounter this case?

0 Likes
1 Solution

Accepted Solutions
Highlighted
Captain
Captain

I'm not aware of any limit. I'm successfully sending more than 6.  One of our attribute sets is 46 attributes , we usually send around 8-14 attributes in the assertion. The others are unvalued for some reason or another. 

Are all these attributes in the same user store? I've only seen this when you say Kerb into AD and then you have those eDirectory attributes. 

View solution in original post

0 Likes
7 Replies
Highlighted
Micro Focus Contributor
Micro Focus Contributor

Your referring to the attributes in the SAML connector?

 

0 Likes
Highlighted
Commander
Commander

Yes, it's where we add the attributes to be sent thru the assertion to the service provider.

saml-attributes.png

0 Likes
Highlighted
Captain
Captain

I'm not aware of any limit. I'm successfully sending more than 6.  One of our attribute sets is 46 attributes , we usually send around 8-14 attributes in the assertion. The others are unvalued for some reason or another. 

Are all these attributes in the same user store? I've only seen this when you say Kerb into AD and then you have those eDirectory attributes. 

View solution in original post

0 Likes
Highlighted
Commander
Commander

I guess my next question would be how do I troubleshoot this issue (the missing attributes that are not being passed to the SP)?

Are there any other tools we can use to troubleshoot this issue? I used saml trace but it was not helpful in locating the root cause of the issue.

Cheers

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

There is no limit on number of attributes in a SAML Resposne. To troubleshoot the issue you can do the following:

Identify the type of attributes you are using :

a. custom attribute

b. LDAP user attribute

c. virtual attribute

1. Logs -> You need to enable the IDP logging (Application, SAML2, WSC,  WSC in debug mode). IDP's catalina.out will have the information on attribute sets and all attributes under that.

(search for "Looking for attribute" )

2. LDAP Trace: An LDAP trace on edir user store will also provide idea whether a particular attribute is requested or not

3. TCPDUMP: You need to have private key to decrypt the traffic or User Store must be running on non-ssl(389) port.

feel free to open a service request to involve support.

 

0 Likes
Highlighted
Commander
Commander

Sorry for the delay.

After doing more testing and digging into the attributes and what roles these attributes are associated with, it was determined that the attributes would pass through to the service provider (SP) based on what role that user has in the user store.

Cheers

0 Likes
Highlighted
Cadet 1st Class Cadet 1st Class
Cadet 1st Class

Hello every one, 
We have the same probleme.
SMAX can gets some information like, FamillyName, PhoneNumber, ,Mobile Phone , Email , location.
but we cannot get other important field like:

  • FirstName
  • UPN
  • Manager
  • LocationCode
  • EmployeeNumber
  • Title
  • DistinguishedName

@ericveysey , Could you please share a screenshot of your mapping in ADFS Server .
Thank you in advance.



 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.