tag:blogger.com,1999:blog-6539276001130687387.post6067597684177241463..comments2024-01-22T12:47:58.600-08:00Comments on SECURITY INTERNAL . COM: SAML Multi Valued Attributes in WSO2 Servers - Retrieving Role Claim of Users as a Single or Multi Valued attributeTharindu Edirisinghehttp://www.blogger.com/profile/12940283701735485444noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-6539276001130687387.post-16316020751612435212018-03-15T13:00:38.447-07:002018-03-15T13:00:38.447-07:00Hi
I am the same "Anonymous" ;-)
In th...Hi<br /><br />I am the same "Anonymous" ;-)<br /><br />In the method buildAttributeStatement in [2], to check if the claim has multiple values, the value of IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR_DEFAULT [1] is used by default (if there is not a claim with name IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR).<br /><br />If the claim value contains the separator, then it is built as a multi valued attribute, otherwise it is built as single value attribute with the separator being the one specified in the property "MultiAttributeSeparator" in the userstore configuration.<br /><br />As the default value of the property (",") is different to the constant IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR_DEFAULT, the attribute is build as single valued<br /><br />The workaround is to change the property "MultiAttributeSeparator" in the userstore configuration to ",,,"<br /><br />The problem is that the class (i did not search which) that constructs the Map with the claims does not add a claim with the name of IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR (which is the same as the name of the property "MultiAttributeSeparator" in the userstore configuration) indicating which was the separator used.<br /><br />I hope this information is useful.<br /><br />Thanks<br /><br />[1] IdentityCoreConstants.java<br />[https://github.com/wso2/carbon-identity-framework/blob/master/components/identity-core/org.wso2.carbon.identity.core/src/main/java/org/wso2/carbon/identity/core/util/IdentityCoreConstants.java]<br /><br />[2] DefaultSAMLAssertionBuilder.java<br />[https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/5.4.x/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/builders/assertion/DefaultSAMLAssertionBuilder.java]Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6539276001130687387.post-89169414872700343492018-03-01T22:44:04.148-08:002018-03-01T22:44:04.148-08:00Let me check this scenario and get back to you soo...Let me check this scenario and get back to you soon.Tharindu Edirisinghehttps://www.blogger.com/profile/12940283701735485444noreply@blogger.comtag:blogger.com,1999:blog-6539276001130687387.post-1913503312420450212018-03-01T10:39:07.098-08:002018-03-01T10:39:07.098-08:00I suppose that it is not the proper place and time...I suppose that it is not the proper place and time to pose a question but...<br /><br />We have the following setup with two WSO2 Identity Server 5.3.0:<br /><br />WSO2 Identity Server IS1: Sending authentication requests to others IdPs<br /><br />WSO2 IDentity Server IS2: doing authentication<br /><br />IS1 is configured as a Service Provider in IS2, defining in the Claim Configuration the claim "http://wso2.org/claims/role" as mandatory (and other claims also as mandatory)<br /><br />IS2 in configured as Identity Provider in IS1, defining in the Claim Configuration, Advanced Claim Configuration, additional claims with default values<br /><br />A Service Provider defined in IS1 is authenticating using SAML with IS2<br /><br />IS2 returns the role claim as a multi valued attribute (seen with SAML tracer) but the role is returned to the SP as single valued attribute.<br /><br />All the claims defined as mandatory in the configuration of IS1 as SP in IS2, as well as all the claims with default values in the configuration of IS2 as Identity Provider in IS1 are returned correctly, only the role claim (the only multi valued claim) is converted to single valued to the SAML response of ID1 to SP.<br /><br />If the claim "http://wso2.org/claims/role" is added in the Claim Configuration of the SP, the role is returned to the SP as a multi valued attribute, but is the only claim provided in the response. All the claims defined as mandatory in the configuration of IS1 as SP in IS2, as well as all the claims with default values in the configuration of IS2 as Identity Provider in IS1 are not included.<br /><br />It should not be necessary to add al the claims to return in the Claim Configuration of the SP given that, without it, the claims are returned, albeit with the role claim converted to single valued.<br /><br />¿What configuration is missing?<br /><br />ThanksAnonymousnoreply@blogger.com