We have a single sign on process in operation at a customer site and we’ve come across a situation where a user has multiple user roles assigned to them. This results in the saml token containing duplicate user profile attributes with two different values.
However on receiving the assertion request we only see a single attribute. I’m guessing the duplicate attribute names is either not supported or some configuration needs changing.
Could you please advise me if this is supported and if so what needs changing so we can see both values. Since we get back a key-value object it feels like this wouldn’t work.
Thanks!
SAMLServiceProvider.ReceiveSSO includes an overload that returns an IDictionary<string, string>, which is suitable for single-value SAML attributes, and an overload that returns a SAMLAttribute[], which is suitable for multi-value SAML attributes.
In many use cases, single-value SAML attributes are used and the IDictionary<string, string> overload is more convenient.
However, in your case with a multi-value SAML attribute, you need to use the overload that returns a SAMLAttribute[].
bool isInResponseTo;
string partnerIdP;
string authnContext;
string userName;
SAMLAttribute[] attributes;
string targetUrl = null;
// Receive and process the SAML assertion contained in the SAML response.
// The SAML response is received either as part of IdP-initiated or SP-initiated SSO.
SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out authnContext, out userName, out attributes, out targetUrl);
Using the SAMLAttribute class, you have access to the Name, FriendlyName and attribute value(s).
[quote][/quote]
SAMLServiceProvider.ReceiveSSO includes an overload that returns an IDictionary, which is suitable for single-value SAML attributes, and an overload that returns a SAMLAttribute[], which is suitable for multi-value SAML attributes.
In many use cases, single-value SAML attributes are used and the IDictionary overload is more convenient.
However, in your case with a multi-value SAML attribute, you need to use the overload that returns a SAMLAttribute[].
bool isInResponseTo;
string partnerIdP;
string authnContext;
string userName;
SAMLAttribute[] attributes;
string targetUrl = null;
// Receive and process the SAML assertion contained in the SAML response.
// The SAML response is received either as part of IdP-initiated or SP-initiated SSO.
SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out authnContext, out userName, out attributes, out targetUrl);
Using the SAMLAttribute class, you have access to the Name, FriendlyName and attribute value(s).
In many use cases, single-value SAML attributes are used and the IDictionary overload is more convenient.
However, in your case with a multi-value SAML attribute, you need to use the overload that returns a SAMLAttribute[].
bool isInResponseTo;
string partnerIdP;
string authnContext;
string userName;
SAMLAttribute[] attributes;
string targetUrl = null;
// Receive and process the SAML assertion contained in the SAML response.
// The SAML response is received either as part of IdP-initiated or SP-initiated SSO.
SAMLServiceProvider.ReceiveSSO(Request, out isInResponseTo, out partnerIdP, out authnContext, out userName, out attributes, out targetUrl);
Using the SAMLAttribute class, you have access to the Name, FriendlyName and attribute value(s).
OK great thanks for the information!
You’re welcome.