SAML response has AttributeName but no AttributeValue tags

4 years ago

Originally Published: 2014-10-31

Article Number

000066902

Applies To

RSA Product Set: FIM
RSA Product/Service Type: Federated Identity Management Module
RSA Version/Condition: 4.1
Platform: Linux
Platform (Other): null
O/S Version: Red Hat Enterprise Linux 4.7 AS (32-bit)
Product Name: FIM MODULE
Product Description: RSA Federated Identity Manager

Issue

When attempting to export RSA Access Manger user properties as SAML attributes the SAML response object shows that the attribute is being exported, but there are no values.

<saml:Attribute AttributeName="postaladdress" AttributeNamespace="http://schemas.xmlsoap.org/claims">
</saml:Attribute>
</saml:AttributeStatement>

The expected result is values for the attributes:

<saml:Attribute AttributeName="postaladdress" AttributeNamespace="http://schemas.xmlsoap.org/claims">
        <saml:AttributeValue>ctvalue1</saml:AttributeValue>
        <saml:AttributeValue>ctvalue2</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>

Resolution

The SAML standard indicates that if the attributes have no value then the response should provide the AttributeName without the AttributeValue tags.

This is the expected response for a variety of different situations in RSA Access Manager. It can occur if the user does not have values set for these attributes.

It can also occur if the user property is not set up correctly in RSA Access Manger. RSA FIM uses the runtimeAPI to retrieve the user properties. Ensure that the user property has the following setting enabled in the Entitlements Manger:

"Property value is published in HTTP header and is available through the runtimeAPI"

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles