Jump to content
Welcome to our new Citrix community!

ns_saml_disable_comma_sep_attr_res nsapimgr


Peter Erler

Recommended Posts

Hi!

 

In release-notes for ADC version NS12.1 56.22  https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/Citrix-ADC-12-1-56-22.html there is this fixed issue:

    The "saml:AttributeValue" tag is missing from the SAML assertion whenever "ns_saml_disable_comma_sep_attr_res nsapimgr" knob is enabled.
    [# NSHELP-21552]

I can't find any information about this knob "ns_saml_disable_comma_sep_attr_res nsapimgr".

Please post some information about this. Thanks!

 

Regards,

Peter Erler

Link to comment
Share on other sites

Peter, I have no clue. But there are some comma separated lists in assertions. A good example: group membership. If there are more than just one group, attributes are comma separated.

I found following information here:

Name-value attribute support for SAML authentication

You can now configure SAML authentication attributes with a unique name along with values. The names are configured in the SAML action parameter and the values are obtained by querying for the names. By specifying the name attribute value, admins can easily search for the attribute value associated with the attribute name. Also, admins no longer have to remember the attribute by its value alone.

Important

In samlAction command, you can configure a maximum of 64 attributes separated by comma with total size less than 2048 bytes.

Citrix recommends that you use the attributes list. Use of “attribute 1 to attribute 16” will cause session failure if the extracted attribute size is large.

 

Cheers

 

Johannes Norz

Trainer, Blogger, Consultant

CTA, CCI, CCE-N

Link to comment
Share on other sites

We experienced unexpected behavior when updating to v13.0. We are sending group membership in SAML response in a single attribute as a comma separated list. When we updated to 13.0-41.28, the SAML response generated by the Netscaler put the groups into separate attributes instead of keeping them in a single attribute.

 

We were advised by support to run this from the shell and that doing so sends the groups as a comma-separated value in a single attribute.

nsapimgr_wr.sh -ys call="ns_saml_enable_comma_sep_attr_res"

We weren't given any other documentation or detail on the knob.

 

When we did this change on build 13.0-41.28, we saw the groups were correctly in a single attribute, but the attribute was missing the saml:AttributeValue tag:

<saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">group1,group2</saml:Attribute>

Whereas valid SAML response (and one that 12.1-51.19 generated) looked like following:

<saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
	<saml:AttributeValue>group1,group2</saml:AttributeValue>
</saml:Attribute>

This has led to the fix that is now in the release notes (NSHELP-21552).

 

We've been told the fix for v13.0 will be released with 13.0-54.1.

  • Like 3
Link to comment
Share on other sites

  • 1 year later...

Newer versions of ADC 13.0+ migrated SAML tokens format from CSV comma separated to XML-format

 

Toggle between CSV type comma separated and XML-format SAML token formats 

 

> nsapimgr_wr.sh -ys call=ns_saml_enable_comma_sep_attr_res
> nsapimgr_wr.sh -ys call=ns_saml_disable_comma_sep_attr_res

 

To make it persistent, you need an rc.netscaler file under /nsconfig/

 

https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/authentication-methods/saml-authentication.html

Security Assertion Markup Language (SAML) is an XML-based authentication mechanism that provides single sign-on capability and is defined by the OASIS Security Services Technical Committee.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...