Currently APM does not support multi-valued SAML attributes (multiple same attribute instances within SAML assertion (Bug ID 400726, SOL 14570). Consider authentication and access control based on group membership. Typically users can be members of multiple groups. In normal AD scenario, there is AD query after the AD auth to get a list of groups. And it is easy to provide access to applications based on the group memberships. Now is this possible with SAML federation? Many IdPs including MS Azure AD can deliver group information within SAML authentication response assertion using multi-valued attributes. This would be ideal for federated group based authentication and access control - however there is this APM bug - only the first occurrence of the attribute is parsed to a session variable. APM sees the other values but ignores them (/var/log/apm log reveals this). Does anybody have ideas for a workaround, or info if this bug is being addresses anytime soon?

While no workaround exists, the support for multi-valued attributes is going to be included in the next version of the product, V12.0.

Looks like it is now supported in 11.6.0 HF4

Does anybody has new information on that? In 12.0, multi valued attributed are supported on IdP, but this won't help regarding THi's question. To deliver AD group information to SAML SP, memberOf variable could be used. This variable is single valued (each group is concatenated with a pipe symbol) and sent as one string to SAML SP, even on 12.0.

Daniel, There is a bug id 534374 that tracks the implementation of being able to separate multiple values within a single APM session variable into properly-formatted multi-valued attribute SAML syntax. I would like to ask you to log a support case and request it to be linked to that bug. Thanks.

Multi-valued SAML attributes not supported - any ideas/workarounds?

19 Replies

Michael_Koyfma1
Cirrus
Feb 24, 2015
While no workaround exists, the support for multi-valued attributes is going to be included in the next version of the product, V12.0.
THi
Nimbostratus
Mar 05, 2015
Looks like it is now supported in 11.6.0 HF4
Daniel_W_
Cirrus
Aug 17, 2015
Does anybody has new information on that? In 12.0, multi valued attributed are supported on IdP, but this won't help regarding THi's question. To deliver AD group information to SAML SP, memberOf variable could be used. This variable is single valued (each group is concatenated with a pipe symbol) and sent as one string to SAML SP, even on 12.0.
Michael_Koyfma1
Cirrus
Aug 27, 2015
Daniel,

There is a bug id 534374 that tracks the implementation of being able to separate multiple values within a single APM session variable into properly-formatted multi-valued attribute SAML syntax. I would like to ask you to log a support case and request it to be linked to that bug. Thanks.
- Walter_Kacynsk1
  Nimbostratus
  Feb 23, 2016
  It seems that 534374 was released under 12.0.0 HF1
- InnO
  Nimbostratus
  Oct 26, 2016
  Yep. But what about versions 11.x ??
- Michael_Koyfma1
  Cirrus
  Oct 26, 2016
  No plans to backport it to 11.x.
Michael_Koyfman
Cirrocumulus
Aug 27, 2015
Daniel,

There is a bug id 534374 that tracks the implementation of being able to separate multiple values within a single APM session variable into properly-formatted multi-valued attribute SAML syntax. I would like to ask you to log a support case and request it to be linked to that bug. Thanks.
- Walter_Kacynsk1
  Nimbostratus
  Feb 23, 2016
  It seems that 534374 was released under 12.0.0 HF1
- InnO
  Nimbostratus
  Oct 26, 2016
  Yep. But what about versions 11.x ??
- Michael_Koyfman
  Cirrocumulus
  Oct 26, 2016
  No plans to backport it to 11.x.
Daniel_W_
Cirrus
Aug 28, 2015
Hi Michael,

thanks. I've created a case: C1910402
amolari
Cirrostratus
Sep 21, 2015
Thanks Michael, I will also open a case to link it to that BIGID. But too bad that dev has overseen that use case. Hopefully it will get fixed soon...
r3ma_74410
Nimbostratus
Oct 05, 2015
I wrote an iRule to parse multi valued attributes from a federated SAML token and put them into one string with each element separated by a pipe:

when ACCESS_POLICY_AGENT_EVENT { if {[ACCESS::policy agent_id] eq "di_roleParse" } { Get the raw SAML Assertion set samlAssertion [ACCESS::session data get "session.saml.last.assertion"] Parse the XML and only extract the Role claim, also trim the first 76 characters so we dont keep all the attribute junk set roleValues [findstr $samlAssertion "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" 76 ""] delete all the XML attribute value openers regsub -all "" $roleValues "" roleValues replcae all the XML attribute value closers with space pipe space regsub -all "" $roleValues " | " roleValues assign to a custom variable ACCESS::session data set session.custom.attr.role $shortRoles } }
- Daniel_W__13795
  Nimbostratus
  Oct 15, 2015
  Has anybody changed this iRule to do it the other way around? Search for pipes and transfer it to a multi value attribute for each entry? Would help everybody who is trying to send AD groups to SAML SP as multi value attribute. I will try that as soon as I find some time.
- r3ma_74410
  Nimbostratus
  Oct 16, 2015
  Yep I tried that. The parser that creates SAML tokens for F5 IdP service doesn't allow you to put XML tag characters inside attributes. It rencodes them into their URL equivilents. So when I tried to replace the pipes with 'GROUP'"GROUP' etc... it printed it into the SAML token like this: 'GROUP'<&bs;saml:AttributeValue$gt; Annoying. EDIT: Oh bloody hell, this comment box has re-encoded all my URL and XML tags. See bellow so I can use a code box. Sigh.
r3ma_74410
Nimbostratus
Oct 16, 2015
The parser that creates SAML tokens for F5 IdP service doesn't allow you to put XML tag characters inside attributes. It rencodes them into their URL equivilents. So when I tried to replace the pipes with 'GROUP''GROUP' etc... it printed it into the SAML token like this:

<saml:attributevalue>'GROUP'<&bs;saml:attributevalue> etc...

So as you can se the parser for var stings into the token looks for XML junk. So you can't make your own tags.
Daniel_W_
Cirrus
Jan 12, 2016
Just installed 12.0 HF1 and saw that AD memberOf variable now is splitted into different attribute values.