OAM 11.1.2.2: Federation: SAML Attribute Response for Group ($user.groups) Is Blank When AD Is Used As Userstore. (Doc ID 1906954.1)

Last updated on MARCH 26, 2015

Applies to:

Oracle Access Manager - Version 11.1.2.2.0 and later
Information in this document applies to any platform.

Symptoms

OAM 11.1.2.2.0 acting as an Identity Provider (IDP) and OpenSSO fedlet acting as the Service Provider (SP).

The IDP is using AD 2008 R2 as the user store.

The SP attribute profile is configured so that Active Directory group names will be included in the SAML AttributeStatement of the assertion being sent from the IDP to SP.

When the SP profile attribute is set as $user.groups, the attribute value is set as blank.

Other attributes such as cn or uid or memberof are getting populated correctly.

Further diagnosis showed that  the problem was specific to having the userstore set to Active Directory (AD).

The group attribute $user.groups gets set correctly if the userstore was anything other then AD (like Oracle Unified Directory (OUD).

Notice the group information is blank in the following SAML assertion;

 



Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms