Showing results for 
Search instead for 
Did you mean: 

Multi-valued SAML attributes not supported - any ideas/workarounds?


Currently APM does not support multi-valued SAML attributes (multiple same attribute instances within SAML assertion (Bug ID 400726, SOL 14570).


Consider authentication and access control based on group membership. Typically users can be members of multiple groups. In normal AD scenario, there is AD query after the AD auth to get a list of groups. And it is easy to provide access to applications based on the group memberships.


Now is this possible with SAML federation? Many IdPs including MS Azure AD can deliver group information within SAML authentication response assertion using multi-valued attributes. This would be ideal for federated group based authentication and access control - however there is this APM bug - only the first occurrence of the attribute is parsed to a session variable. APM sees the other values but ignores them (/var/log/apm log reveals this).


Does anybody have ideas for a workaround, or info if this bug is being addresses anytime soon?