000028975 - SAML response has AttributeName but no AttributeValue tags

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000028975
Applies ToRSA Product Set: FIM
RSA Product/Service Type: Federated Identity Management Module
RSA Version/Condition: 4.1
Platform: Linux
Platform (Other): null
O/S Version: Red Hat Enterprise Linux 4.7 AS (32-bit)
Product Name: FIM MODULE
Product Description: RSA Federated Identity Manager
IssueWhen attempting to export RSA Access Manger user properties as SAML attributes the SAML response object shows that the attribute is being exported, but there are no values.
<saml:Attribute AttributeName="postaladdress" AttributeNamespace="http://schemas.xmlsoap.org/claims">
      </saml:Attribute>
</saml:AttributeStatement>

The expected result is values for the attributes:
<saml:Attribute AttributeName="postaladdress" AttributeNamespace="http://schemas.xmlsoap.org/claims">
        <saml:AttributeValue>ctvalue1</saml:AttributeValue>
        <saml:AttributeValue>ctvalue2</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>
 
ResolutionThe SAML standard indicates that if the attributes have no value then the response should provide the AttributeName without the AttributeValue tags.  
This is the expected response for a variety of different situations in RSA Access Manager.  It can occur if the user does not have values set for these attributes. 
It can also occur if the user property is not set up correctly in RSA Access Manger. RSA FIM uses the runtimeAPI to retrieve the user properties.  Ensure that the user property has the following setting enabled in the Entitlements Manger:
"Property value is published in HTTP header and is available through the runtimeAPI"

Attachments

    Outcomes