Including XML as attribute value

bkasprowicz · July 26, 2016, 11:37am

I have a requirement to pass an object array (id, name per object) to a vendor for SAML. They want the data to come over in CDATA in this format:

saml:AttributeValue<![CDATA[

321
Text 321

123
Text 123

]]>
</saml:AttributeValue>

I tried to manually make this string by making a string including the CDATA:

var vendorNetworkListString = “<![CDATA[";

foreach (var vendorNetworkDto in vendorNetworkDtoList)
{
vendorNetworkListString += "" + vendorNetworkDto.VendorNetworkId + ""
+ vendorNetworkDto.VendorNetworkName + "";
}

vendorNetworkListString += "]]>”;

However, when I make a new SAMLAttribute object:
samlAttribute = new SAMLAttribute(“ppc_plans”, SAMLIdentifiers.AttributeNameFormats.Basic, “ppc_plans”, vendorNetworkListString);

it escapes the “<” and “>” and renders this in the SAML:
saml:AttributeValue<![CDATA[ ... ppcList>]]></saml:AttributeValue>

I am trying to figure out the right way to do this. Can someone point me in the right direction?

Thank you.

bkasprowicz · July 26, 2016, 12:24pm

Alright, I finally found some code in the sample code and was able to get this to work:

ComponentSpace.SAML2.Assertions.AttributeType.RegisterAttributeValueSerializer(“ppc_plans”, SAMLIdentifiers.AttributeNameFormats.Basic, new XmlAttributeValueSerializer());
var xmlDocument = new XmlDocument();
xmldocument.LoadXml(vendorNetworkListXmlString);
samlAttribute = new SAMLAttribute(“ppc_plans”, SAMLIdentifiers.AttributeNameFormats.Basic, “ppc_plans”);
samlAttribute.Values.Add(new AttributeValue(xmldocument.DocumentElement));
attributeStatement.Attributes.Add(samlAttribute);

ComponentSpace · July 26, 2016, 8:21pm

Hi Brian
Just to confirm, the sample code you found is the correct approach.
The call to SAMLAttribute.RegisterAttributeValueSerializer identifies the attribute as being XML rather than a string.
This is only required when using the SAML low-level API.
The SAML high-level API handles this automatically.

CKevin · June 27, 2025, 3:18pm

Hi,

I am having the same issue. My vendor asks use to wrap an xml string with CDATA as the value of an attribute. I am using high-level API. If I concatenate the xml with CDATA, the “<” and “>” are escaped in SAML response. If I just assign the xml string to the attribute without concatenating CDATA, there is no escaping, which is good. But the SAML component does not wrap the string with CDATA.

Please help.

Thanks.

CK

ComponentSpace · June 28, 2025, 2:28am

By default, we serialize SAML attribute values as strings which covers the majority of use cases and simplifies the calls into the SAML API.

For example, the following section of code treats the SAML attribute value as a string.

using System.Xml;
using ComponentSpace.SAML2;
using ComponentSpace.SAML2.Assertions;

// Construct the SAML attribute.
SAMLAttribute samlAttribute = new SAMLAttribute();
samlAttribute.Name = "test";
samlAttribute.Values.Add(new AttributeValue("<![CDATA[<test>This is a test</test>]]>"));

// Send the SAML response and assertion to the service provider.
SAMLIdentityProvider.SendSSO(Response, userName, new SAMLAttribute[] { samlAttribute });

The SAML response received at the service provider includes the following XML for this SAML attribute with entity references escaping the “<” and “>” characters.

<saml:Attribute Name="test"><saml:AttributeValue>&lt;![CDATA[&lt;test&gt;This is a test&lt;/test&gt;]]&gt;</saml:AttributeValue></saml:Attribute>

If you wish to have a CDATA section or any other XML node as the SAML attribute value, you need to specify that the attribute value is XML by registering the appropriate attribute value serializer and supply an XmlNode object as the attribute value.

The following code registers an XML attribute value serializer, creates a SAML attribute with a CDATA section attribute value and includes this in the SAML assertion sent to the service provider.

using System.Xml;
using ComponentSpace.SAML2;
using ComponentSpace.SAML2.Assertions;

// The "test" SAML attribute value must be serialized as XML.
SAMLAttribute.RegisterAttributeValueSerializer("test", null, new XmlAttributeValueSerializer());

// Create the CDATA section object which will be the SAML attribute value.
XmlCDataSection xmlCDataSection = xmlDocument.CreateCDataSection("<test>This is a test</test>");

// Construct the SAML attribute.
SAMLAttribute samlAttribute = new SAMLAttribute();
samlAttribute.Name = "test";
samlAttribute.Values.Add(new AttributeValue(xmlCDataSection));

// Send the SAML response and assertion to the service provider.
SAMLIdentityProvider.SendSSO(Response, userName, new SAMLAttribute[] { samlAttribute });

The SAML response received at the service provider includes the following XML for this SAML attribute.

<saml:Attribute Name="test"><saml:AttributeValue><![CDATA[<test>This is a test</test>]]></saml:AttributeValue></saml:Attribute>