Overview
A customer recently implemented a new SAML partnership and the partnership requires several multi-value attributes to be included in the assertion. One of the values being included exceeds the default attribute length of 1024 characters allowed by SiteMinder. So, how do you change the max user attribute size for SAML in Symantec SiteMinder?
Increasing the Maximum User Attribute Length
The file named “EntitlementGenerator.properties” is responsible for controlling the maximum length of the user attributes within an assertion. The limits specified in that properties file are applied to each user attribute within an assertion and the file is in the following directory on the policy server:
/{siteminder home}/config/properties/
The following are the default values in the file:
com.netegrity.assertiongenerator.wsfed.MaxUserAttributeLength=1024
com.netegrity.assertiongenerator.saml1.MaxUserAttributeLength=1024
com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength=1024
Our customer needed to support a maximum attribute length of 24K for a SAML2 assertion. As such, we recommended that they change the value for the last line from 1024 to 24000. The following is the updated entry:
com.netegrity.assertiongenerator.saml2.MaxUserAttributeLength=24000
The other two lines mentioned above did not have to be changed as WS-FED and SAML1 did not require limit modifications at that time. To fully implement the change, this file should be updated on all SiteMinder policy servers that are responsible for generating SAML assertions and the policy servers should be restarted after the changes are made.
As always, we hope that you have found this information useful. If you need IAM assistance, reach out to SIS today and we would be happy to assist you. And subscribe to our newsletter to be notified about the posting of future articles and other SIS news.
