Multi-Value SAML Assertion Attribute Format

Document ID : KB000111179
Last Modified Date : 15/08/2018
Show Technical Document Details
Introduction:
Federation assertion attributes with multiple values are by default included as a single attribute with caret (^) delimited values.  For example, the attribute will look like this in the assertion:

<ns2:Attribute Name="MailA1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>test@c.com^test@b.com^test@a.com</ns2:AttributeValue>
</ns2:Attribute>

In this example MailA1 is the name of the assertion attribute that is created in the Federation config, and it is pointing to a directory attribute named Email which contains email addresses.
Question:
Can this type of multi-value attribute use a different delimiter or place each value on it own line?
 
Answer:
The FMATTR: prefix can be used to either change the value delimiter to commas or print each value on a separate line.  If FMATTR: is placed in front of the assertion attribute name, each attribute name will be included on a separate line.

If MailA1 is the assertion attribute name and Email is the directory attribute that contains the values, setting the assertion attribute Value to FMATTR:Email will result in comma-delimited values on a single line as follows:

<ns2:Attribute Name="MailA1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>test@c.com,test@b.com,test@a.com</ns2:AttributeValue>
</ns2:Attribute>

If the assertion attribute is defined as FMATTR:MAILA1 and the Value points to the Email directory attribute, each attribute value will be included on a separate line as follows:

<ns2:Attribute Name="MailA1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>test@c.com</ns2:AttributeValue>
<ns2:AttributeValue>test@b.com</ns2:AttributeValue>
<ns2:AttributeValue>test@a.com</ns2:AttributeValue>
</ns2:Attribute>
 
Additional Information:
Please note the FMATTR is case sensitive and should always be upper case.