Forum Discussion

Steve_Dionne's avatar
Steve_Dionne
Icon for Nimbostratus rankNimbostratus
Nov 12, 2021

SAML Attributes require String type

I am doing a SAML Integration with Tableau Server.

Actually Tableau is unable to read my username attribute, because it is missing

xsi:type="xs:string"

https://help.tableau.com/current/server-linux/en-us/saml_requ.htm#xml_requirements

Their documentation say: "You must configure the IdP to return an assertion that includes the username attribute in the saml:AttributeStatement element. The assertion’s attribute type must be xs:string (it should not be typed as xs:any)."

They required this:

saml:AttributeStatement>
    <saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
          user-name
    </saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>

and for now F5 SAML return this:

 <saml2:AttributeStatement>
      <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
               Name="username"
               NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
               >
        <saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">user-name</saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>
  </saml2:Assertion>

Another example is using OKTA as an IDP , it return this and it works:

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
      <saml2:Attribute Name="username"
               NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
               >
        <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                   xsi:type="xs:string"
                   >user-name</saml2:AttributeValue>
      </saml2:Attribute>
    </saml2:AttributeStatement>

How can I do this with F5, we are using Big-IP release 14

I need to find a way to add 

xsi:type="xs:string"

to the username attribute.

I do not see any way to do this from the SAML Attributes in Edit IDP Service

Thank,

application delivery
BIG-IP Access Policy Manager (APM)
SAML IDP
  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Nov 24, 2021

    You can rewrite the assertion using an iRule. The rule below might work for you.

    when ACCESS_SAML_ASSERTION {
        set assertion [ ACCESS::saml assertion ]       
        set new_assertion [ string map [list "<saml2:AttributeValue xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\">" "<saml2:AttributeValue xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\" xsi:type=\"xs:string\">"] $assertion ]        
        ACCESS::saml assertion $new_assertion
}