Duplicate Attribute Values after Shibboleth Upgrade

David Lovas dlovas at rexovas.com
Mon Sep 13 16:44:43 UTC 2021

Hi Everyone,

Some time ago, I migrated an old IIS7 Application running on Windows Server
2016 from using the OpenToken Plugin for Authentication, to Shibboleth/SAML
as a Service Provider.  At the time, the latest version was

Following the recent vulnerabilities identified with these older versions,
I have attempted (unsuccessfully) to upgrade to the latest version.

This application relies upon a SAML Attribute "HTTP_USER" - the value of
which is a simple user id of the format "abc123".  Using the Chrome Plugin
SAML Tracer, I can see that the value is being sent as expected.

This user ID is used to obtain user permissions from a database, and is
also used for all subsequent writes to the DB.  It is also displayed in the
application after successful SSO authentication.

For some reason, in all versions tested after including the latest, despite SAML Tracer showing the correct "abc123" value, the
application is displaying the value repeated separated by semicolons as
such "abc123;abc123;abc123".  As a result the database can not locate the
user, as the value is incorrect.

Because this is a legacy application, changes to the codebase to resolve
this issue are not possible.

I've attempted adding the following AttributeResolver to try and obtain
only the first occurence of the userId, however this had no effect.

<AttributeResolver type="Transform" source="HTTP_USER">
             <Regex match="[^;]*">$1</Regex>

Has anyone else experienced this issue following the recent updates? There
is no mention of any such breaking change in the changelogs.  Is there some
other change I should make to the shibboleth2.xml or attribute-map.xml

David Lovas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210913/c21920b3/attachment.htm>

More information about the users mailing list