Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

SAML Assertion schema incorrect for AttributeValue element

SA-22756

Summary



User is trying to make use of the SAML SSO token and extract some additional AD information passed by the IdP from the D_SAMLAssertionDataPage.AttributeStatement data page. However it only includes the last AttributeValue element of each Attribute group. The AttributeStatement structure of the SAML SSO response looks like this:

<saml:AttributeStatement>
<saml:Attribute Name="groups">
<saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">AB-A-ABC-OMW-READ.Security.Groups.Corporate.production.prod</saml:AttributeValue>
<saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">AB-A-ABC-OMW-RESTRICTED.Security.Groups.Corporate.production.prod</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>

User is trying to extract the AttributeValue elements for Attribute Name="groups". User only ever getting the last element of any Attribute element.

Looking at the Data Model for Data-SAMLAssertion-AttributeType only shows a scalar property pyAttributeValue even though the element saml:AttributeValue is clearly an unbounded complex element of type anyType. I've imported the standard SAML 2.0 Assertion XSD (also attached) and it appears that the pyAttributeValue property has been added as a scalar property after the import of the schema.

In order to extract all AttributeValue elements the Pega data model schema and XML parsing rules must be correct. 

Error Messages



Not applicable.
 

Steps to Reproduce



1. Implement SAML SSO and configure the IdP to return an Attribute group with multiple AttributeValue elements, for example multipel AD groups
2. Enable DEBUG logging of the pySAMLWebSSOAuthenticationActivity activity. This shows the entire response XML in the log.


Root Cause



A defect in Pegasystems’ code or rules 

The property pyAttributeValue is of type text and hence unable to accommodate repeating values.

Resolution



Apply HFix-27385.

 

Suggest Edit

Published May 4, 2016 - Updated October 8, 2020

Did you find this content helpful? Yes No

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us