ComponentSpace

Forums



Multiple saml assertion attributevalue is concatenated in a single claim


Multiple saml assertion attributevalue is concatenated in a single...

Author
Message
lsiddiquee
lsiddiquee
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 6, Visits: 17
Hi,
We are using ComponentSpace SAML to integrate with AzureAD in ASPNET Core. We get a proper set of assertions from azure ad and get the following from there


<Assertion ID="_dd286df1-2f38-4e2d-9a83-9c6169552000" IssueInstant="2019-10-29T15:14:02.221Z" Version="2.0"   xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
...
   <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
    <AttributeValue>32955b95-b636-4dc9-a47d-1d6901c472df</AttributeValue>
    <AttributeValue>1e76c02a-e6ac-4448-9b93-da31d81f8bc5</AttributeValue>
    <AttributeValue>429ba3ed-ebe1-4dbd-9c4f-6cecbcaf6c4d</AttributeValue>
    <AttributeValue>c2c08580-f111-4820-af83-c7def1603f68</AttributeValue>
    <AttributeValue>a302eb51-a066-4b74-8b46-7dce1d0a036c</AttributeValue>
    <AttributeValue>d0512373-70db-4815-ac57-640119b502bf</AttributeValue>
    <AttributeValue>78b8b3f4-a410-4acc-80ab-b965be21a74b</AttributeValue>
   </Attribute>
...
</Assertion>


However, in our application we get a single claim with all the values concatenated as a single claim, rather than separate claims for every value.

Regards
Likhan
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
I'm assuming you're calling var ssoResult = await _samlServiceProvider.ReceiveSsoAsync().
The ssoResult.Attributes returns an array of SamlAttribute objects.
If you use SamlAttribute.ToString(), this returns the concatenated SAML attribute values.
Instead, access the SamlAttribute.AttributeValues property which returns the list of AttributeValue objects.
The AttributeValue.ToString() returns the individual attribute value as a string.

Regards
ComponentSpace Development
lsiddiquee
lsiddiquee
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 6, Visits: 17
ComponentSpace - 10/29/2019
I'm assuming you're calling var ssoResult = await _samlServiceProvider.ReceiveSsoAsync().
The ssoResult.Attributes returns an array of SamlAttribute objects.
If you use SamlAttribute.ToString(), this returns the concatenated SAML attribute values.
Instead, access the SamlAttribute.AttributeValues property which returns the list of AttributeValue objects.
The AttributeValue.ToString() returns the individual attribute value as a string.

Hi. Thanks for the reply. We are not calling anything ourselves to create the authenticated principal. We are using the middleware approach and added it to the authentication pipeline.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The SAML authentication handler makes use of an ISamlClaimFactory for constructing Claims from the SAML subject and attributes.
The default implementation of ISamlClaimFactory  assumes single value SAML attributes and sets the claim value to SamlAttribute.ToString().
You could implement this interface to handle multi-value SAML attributes.
However, perhaps this is something we should do.
How exactly would you want multi-value SAML attributes to be handled?
Would multiple claims be created with the same name and different values?
I'd have to check if this is supported by .NET Core.

Regards
ComponentSpace Development
lsiddiquee
lsiddiquee
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 6, Visits: 17
ComponentSpace - 10/29/2019
The SAML authentication handler makes use of an ISamlClaimFactory for constructing Claims from the SAML subject and attributes.
The default implementation of ISamlClaimFactory  assumes single value SAML attributes and sets the claim value to SamlAttribute.ToString().
You could implement this interface to handle multi-value SAML attributes.
However, perhaps this is something we should do.
How exactly would you want multi-value SAML attributes to be handled?
Would multiple claims be created with the same name and different values?
I'd have to check if this is supported by .NET Core.

We have used OpenIdConnect to authenticate with the same application in AzureAD and it returns multiple claims with the same type but different values. This is what is expected also. This allows the application to actually use the claim for authorization. As all the claims of same type is in a single claim value we cannot apply any claim based rules on that.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thanks for the clarification. This is currently being investigated. I'll get back to you with an update as soon as I can.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search