cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

SAML Attributes require String type

Steve_Dionne
Nimbostratus
Nimbostratus

I am doing a SAML Integration with Tableau Server.

 

Actually Tableau is unable to read my username attribute, because it is missing

xsi:type="xs:string"

https://help.tableau.com/current/server-linux/en-us/saml_requ.htm#xml_requirements

Their documentation say: "You must configure the IdP to return an assertion that includes the username attribute in the saml:AttributeStatement element. The assertion’s attribute type must be xs:string (it should not be typed as xs:any)."

 

They required this:

saml:AttributeStatement> <saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> user-name </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion>

 

and for now F5 SAML return this:

 

 <saml2:AttributeStatement>       <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"                Name="username"                NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"                >         <saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">user-name</saml2:AttributeValue>       </saml2:Attribute>     </saml2:AttributeStatement>   </saml2:Assertion>

 

Another example is using OKTA as an IDP , it return this and it works:

<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">       <saml2:Attribute Name="username"                NameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"                >         <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"                    xsi:type="xs:string"                    >user-name</saml2:AttributeValue>       </saml2:Attribute>     </saml2:AttributeStatement>

 

How can I do this with F5, we are using Big-IP release 14

I need to find a way to add

xsi:type="xs:string"

to the username attribute.

 

I do not see any way to do this from the SAML Attributes in Edit IDP Service

 

0691T00000F7390QAB.jpg

 

Thank,

1 REPLY 1

You can rewrite the assertion using an iRule. The rule below might work for you.

 

when ACCESS_SAML_ASSERTION { set assertion [ ACCESS::saml assertion ] set new_assertion [ string map [list "<saml2:AttributeValue xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\">" "<saml2:AttributeValue xmlns:saml2=\"urn:oasis:names:tc:SAML:2.0:assertion\" xsi:type=\"xs:string\">"] $assertion ] ACCESS::saml assertion $new_assertion }