000025869 - The prefix 'xsi' for attribute 'xsi:type' associated with an element type 'saml:AttributeValue' is not bound.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025869
Applies ToFederated Identity Management Module 3.0
IssueThe prefix "xsi" for attribute "xsi:type" associated with an element type "saml:AttributeValue" is not bound.
Error stack trace: com.rsa.fim.profile.sso.SSOProfileException:
Exception encountered at the top-level of the profile bean: SAMLObject.fromStream() caught exception while parsing a stream
(wrapped: The prefix "xsi" for attribute "xsi:type" associated with an element type "saml:AttributeValue" is not bound.)
   at com.rsa.fim.profile.sso.SSOProfileBean.processResponse(SSOProfileBean.java:2755)
   at com.rsa.fim.profile.sso.SSOProfile_5wyj3w_EOImpl.processResponse(SSOProfile_5wyj3w_EOImpl.java:46)
   at com.rsa.fim.servlet.sso.AssertionConsumerService.doGet(AssertionConsumerService.java:64)
   at com.rsa.fim.servlet.sso.AssertionConsumerService.doPost(AssertionConsumerService.java:38)
Cause

A SAML 2.0 IdP has sent the following fragment as part of SAML response being sent to an SP

             <saml:AttributeStatement>
                     <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="userId">
                              <saml:AttributeValue xsi:type="xsd:string">jdoe</saml:AttributeValue>
                     </saml:Attribute>
             </saml:AttributeStatement>

Resolution

The assertion is improperly formatted. The XML namespaces "xsi" and "xsd" which has been used to specify the attribute value type are undefined.  Part of the error message indicates that - "The prefix "xsi" for attribute "xsi:type" associated with an element type "saml:AttributeValue" is not bound." A qualified name (such as "xsi:type") is a name/namespace pair separated by a colon. You must define any namespace (called "prefix" in the error message) in the element or an ancestor of any element in which it is used. So, in the example assertion either the AttributeValue, Attribute, AttributeStatement, Assertion or Response elements must contain the XML namespace definitions:

xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

In RSA FIM 3.0 we put these on the AttributeStatement, so the attribute statement from the example above would look like this:

               <saml:AttributeStatement xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                       <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="userId">
                                <saml:AttributeValue xsi:type="xsd:string">jdoe</saml:AttributeValue>
                      </saml:Attribute>
               </saml:AttributeStatement>

Legacy Article IDa32245

Attachments

    Outcomes