Default pages bug in 3.2.3?

Phillip Grandsard pgrandsard at
Mon Aug 9 14:29:18 UTC 2021

This happens to both built-in and assertion attributes from the IdP.
I did add an assertion attribute extractor, but only to set the built-in
variables to upper case.
<AttributeExtractor type="Assertion"

My workaround was to stop using the default document.

On Sat, Aug 7, 2021 at 10:01 AM Cantor, Scott <cantor.2 at> wrote:

> Actually, I'm puzzled, because based on the code, this shouldn't be
> happening. The duplication of the values is only something that appears to
> affect the attribute export step. The "built-in" variables are just applied
> with a call that ends up calling SetServerVariable or SetHeader directly,
> not appending to pre-existing state.
> So there should not have been any duplication introduced by the security
> fix and I have no idea what you're seeing here.
> If by some chance you're actually using the workaround I mentioned with
> the Assertion attribute extractor instead, then that would result in
> duplication, but setting the option to block export of duplicate attribute
> values would address that.
> If that option didn't work for the attributes, then that would explain the
> other duplication as well but it did for me and for others that applied
> that as a workaround for Microsoft's bug.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list