OAM 18.104.22.168: Federation: SAML Attribute Response for Group ($user.groups) Is Blank When AD Is Used As Userstore.
Last updated on APRIL 03, 2018
Applies to:Oracle Access Manager - Version 22.214.171.124.0 and later
Information in this document applies to any platform.
OAM 126.96.36.199.0 acting as an Identity Provider (IDP) and OpenSSO fedlet acting as the Service Provider (SP).
The IDP is using AD 2008 R2 as the user store.
The SP attribute profile is configured so that Active Directory group names will be included in the SAML AttributeStatement of the assertion being sent from the IDP to SP.
When the SP profile attribute is set as $user.groups, the attribute value is set as blank.
Other attributes such as cn or uid or memberof are getting populated correctly.
Further diagnosis showed that the problem was specific to having the userstore set to Active Directory (AD).
The group attribute $user.groups gets set correctly if the userstore was anything other then AD (like Oracle Unified Directory (OUD).
Notice the group information is blank in the following SAML assertion;
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms