My Oracle Support Banner

OAM Federation: SAML Attribute Response for Group ($user.groups) Is Blank When AD Is Used As Userstore. (Doc ID 1906954.1)

Last updated on APRIL 26, 2019

Applies to:

Oracle Access Manager - Version and later
Information in this document applies to any platform.


OAM acting as an Identity Provider (IDP) and OpenSSO fedlet acting as the Service Provider (SP).

The IDP is using AD 2008 R2 as the user store.

The SP attribute profile is configured so that Active Directory group names will be included in the SAML AttributeStatement of the assertion being sent from the IDP to SP.

When the SP profile attribute is set as $user.groups, the attribute value is set as blank.

Other attributes such as cn or uid or memberof are getting populated correctly.

Further diagnosis showed that  the problem was specific to having the userstore set to Active Directory (AD).

The group attribute $user.groups gets set correctly if the userstore was anything other then AD (like Oracle Unified Directory (OUD).

Notice the group information is blank in the following SAML assertion;





To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.