Forum Discussion

Steve_Dionne's avatar
Icon for Nimbostratus rankNimbostratus
Nov 12, 2021

SAML Attributes require String type

I am doing a SAML Integration with Tableau Server.

Actually Tableau is unable to read my username attribute, because it is missing


Their documentation say: "You must configure the IdP to return an assertion that includes the username attribute in the saml:AttributeStatement element. The assertion’s attribute type must be xs:string (it should not be typed as xs:any)."

They required this:

    <saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xs="" xmlns:xsi="" xsi:type="xs:string">

and for now F5 SAML return this:

      <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
        <saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">user-name</saml2:AttributeValue>

Another example is using OKTA as an IDP , it return this and it works:

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml2:Attribute Name="username"
        <saml2:AttributeValue xmlns:xs=""

How can I do this with F5, we are using Big-IP release 14

I need to find a way to add


to the username attribute.

I do not see any way to do this from the SAML Attributes in Edit IDP Service


1 Reply

  • You can rewrite the assertion using an iRule. The rule below might work for you.

            set assertion [ ACCESS::saml assertion ]       
            set new_assertion [ string map [list "<saml2:AttributeValue xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\">" "<saml2:AttributeValue xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\" xsi:type=\"xs:string\">"] $assertion ]        
            ACCESS::saml assertion $new_assertion