Multiple saml assertion attributevalue is concatenated in a single claim

SAML for ASP.NET Core
1

Hi,
We are using ComponentSpace SAML to integrate with AzureAD in ASPNET Core. We get a proper set of assertions from azure ad and get the following from there




<Attribute Name=“”>http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
32955b95-b636-4dc9-a47d-1d6901c472df
1e76c02a-e6ac-4448-9b93-da31d81f8bc5
429ba3ed-ebe1-4dbd-9c4f-6cecbcaf6c4d
c2c08580-f111-4820-af83-c7def1603f68
a302eb51-a066-4b74-8b46-7dce1d0a036c
d0512373-70db-4815-ac57-640119b502bf
78b8b3f4-a410-4acc-80ab-b965be21a74b





However, in our application we get a single claim with all the values concatenated as a single claim, rather than separate claims for every value.

Regards
Likhan

2

I’m assuming you’re calling var ssoResult = await _samlServiceProvider.ReceiveSsoAsync().
The ssoResult.Attributes returns an array of SamlAttribute objects.
If you use SamlAttribute.ToString(), this returns the concatenated SAML attribute values.
Instead, access the SamlAttribute.AttributeValues property which returns the list of AttributeValue objects.
The AttributeValue.ToString() returns the individual attribute value as a string.

3
[quote]
ComponentSpace - 10/29/2019
I'm assuming you're calling var ssoResult = await _samlServiceProvider.ReceiveSsoAsync().
The ssoResult.Attributes returns an array of SamlAttribute objects.
If you use SamlAttribute.ToString(), this returns the concatenated SAML attribute values.
Instead, access the SamlAttribute.AttributeValues property which returns the list of AttributeValue objects.
The AttributeValue.ToString() returns the individual attribute value as a string.
[/quote]

Hi. Thanks for the reply. We are not calling anything ourselves to create the authenticated principal. We are using the middleware approach and added it to the authentication pipeline.
4

The SAML authentication handler makes use of an ISamlClaimFactory for constructing Claims from the SAML subject and attributes.
The default implementation of ISamlClaimFactory assumes single value SAML attributes and sets the claim value to SamlAttribute.ToString().
You could implement this interface to handle multi-value SAML attributes.
However, perhaps this is something we should do.
How exactly would you want multi-value SAML attributes to be handled?
Would multiple claims be created with the same name and different values?
I’d have to check if this is supported by .NET Core.

5
[quote]
ComponentSpace - 10/29/2019
The SAML authentication handler makes use of an ISamlClaimFactory for constructing Claims from the SAML subject and attributes.
The default implementation of ISamlClaimFactory assumes single value SAML attributes and sets the claim value to SamlAttribute.ToString().
You could implement this interface to handle multi-value SAML attributes.
However, perhaps this is something we should do.
How exactly would you want multi-value SAML attributes to be handled?
Would multiple claims be created with the same name and different values?
I'd have to check if this is supported by .NET Core.
[/quote]

We have used OpenIdConnect to authenticate with the same application in AzureAD and it returns multiple claims with the same type but different values. This is what is expected also. This allows the application to actually use the claim for authorization. As all the claims of same type is in a single claim value we cannot apply any claim based rules on that.
6

Thanks for the clarification. This is currently being investigated. I’ll get back to you with an update as soon as I can.