For better compatibility PL IDP should combine multiple AttributeStatemnt's into a single AttributeStatement

We are trying to integrate a PL IDP with a vendor SP that we don't have any control over. Their SP is rejecting our response assertion because it includes 2 AttributeStatement blocks and they are expecting 1.

While the spec at http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf on line 2077 seems to indicate that multiple AttributeStatements are a technically correct approach, I'm not sure it is a "normal" approach. I know simplesamlphp IDP doesn't do multiple AttributeStatements out of the box. If you happen to know that other IDPs take the multiple AttributeStatements approach feel free to close this ticket. If you aren't sure, please decide if you think PL should be changed to issue a single AttributeStatement instead of multiple so it can be technically correct and potentially more "normal" so that we would have better compatibility with 3rd party SPs.

We have now had 2 vendors complain about this. The 2nd one was savvy enough to patch the pysaml2 library they were using https://github.com/BetterWorks/pysaml2/commit/64a2078aa19535cc8825282a4e16353c4448303b?w=1. This however does make me think more and more that what we are doing isn't "normal" and needs to be changed. I'll try and figure out what SP the other vendor uses OpenSAML https://wiki.shibboleth.net/confluence/display/OpenSAML/Home which I imagine is being used by quite a few people.

---

Example assertion:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
Destination="https://rewardzone.redhat.com/saml/acs"
ID="ID_0afaf150-4283-41a1-860b-b59b1143d41a"
InResponseTo="_eb9c6ba835d80e20f1f36c1ac0956fe24c474090a0"
IssueInstant="2014-08-11T13:30:51.468Z"
Version="2.0"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.redhat.com/idp/</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#ID_0afaf150-4283-41a1-860b-b59b1143d41a">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>r4i33KDAC59Nm3gQ4Zw2ym9h1S0=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>H3wMzpBqcjmniKGPaijo+XnyI6GYoE6TN2u8LFRFsJamzIVPCGsiL5+rqQVcirKqIO0jEQQF5ICcTX/dmvVg1P2CA5ZXSGX2mC8zk1Kn9tbQfsjZZ1+3ywNim4w33tbOI6TTPqDOKDx7R0JqJWjTEXH7oPoR835xEkcak++LqdPJZC5fQk7nu6/B1+buqME4/q2rL/kMRXEtPUAX5dWfkFr0bvtrQ945ospb+JhWTG1Rid2Y2YimNLaWBaz/IKVDpSX8onRqhLEhfEZs5FubqA+GkkLqdjC0bnVYnmGX7Vn86mLwU/TiCIeodBLCj8p4vU8/opaUJARL44LHTeo8Xg==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>MIID1jCCAz+gAwIBAgICCB4wDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjELMAkGA1UECxMCSVMxFjAUBgNVBAMTDVJlZCBIYXQgSVMgQ0ExJjAkBgkqhkiG9w0BCQEWF3N5c2FkbWluLXJkdUByZWRoYXQuY29tMB4XDTEzMDMxOTIzNDU0NloXDTE1MDMxOTIzNDU0NlowgZsxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjEfMB0GA1UECxMWSW5mb3JtYXRpb24gVGVjaG5vbG9neTESMBAGA1UEAxMJU2hhZG93bWFuMSYwJAYJKoZIhvcNAQkBFhdzeXNhZG1pbi1yZHVAcmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOxWX//OxKYcYHF7mlaG6wjMW9U5q4pRxzpPceOhqXtxltABtb/4WqWmwbuqGPDfz6FEF4zdPZ3BMpp+m2KmDyUd9TqRcZTqTqJg/+Xsdy8FV/WoqrBlCaH2BEzFgdHSZw2okhgVlui3l1utKNMvnsl5TSa2b5+KyNmMkRZ3EOBlPyZMH+2eWlmHQZvwqVtYyd/uA9+oVAvcUjtnZqPomLiCibPyVukpONx9JdOR5oiVPndCdyVnsg+yTDNMJ73yrTU14jvO47Hy39E9+MjGOGb95i7jkIZe6vFu/4voeNJQT7VabqE8iE0jhyU0BHkZV0qGbwknipmBzKp6C2y5Yc0CAwEAAaOBoDCBnTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUMMy5gw3OtRTSLfum1YaoFOcP3iUwHwYDVR0jBBgwFoAUDawZcO0Ep154q/6LqDTrISbBVjUwIgYDVR0RBBswGYEXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEFBQADgYEAEnq36DPdlHIb1HoE89cF87WVHtPiqXlDv73N6GONo5KQAWTXh86z4JPKDfNBMpArz1bh6h2cmerpEEuMLPzTJs1PvVkCZt8eO059PuSlZN/8xi6ZdkjBAHuWPm84C/WYrEPKTV71kXrt/UfG0pKsZcV5wpSLqoy2B5WhmfentR8=</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>7FZf/87EphxgcXuaVobrCMxb1TmrilHHOk9x46Gpe3GW0AG1v/hapabBu6oY8N/PoUQXjN09ncEymn6bYqYPJR31OpFxlOpOomD/5ex3LwVX9aiqsGUJofYETMWB0dJnDaiSGBWW6LeXW60o0y+eyXlNJrZvn4rI2YyRFncQ4GU/Jkwf7Z5aWYdBm/CpW1jJ3+4D36hUC9xSO2dmo+iYuIKJs/JW6Sk43H0l05HmiJU+d0J3JWeyD7JMM0wnvfKtNTXiO87jsfLf0T34yMY4Zv3mLuOQhl7q8W7/i+h40lBPtVpuoTyITSOHJTQEeRlXSoZvCSeKmYHMqnoLbLlhzQ==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"
ID="ID_0ec528d8-a732-4b14-9ac6-7149fbe0acca"
IssueInstant="2014-08-11T13:30:51.467Z"
Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://saml.redhat.com/idp/</saml:Issuer>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<dsig:Reference URI="#ID_0ec528d8-a732-4b14-9ac6-7149fbe0acca">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<dsig:DigestValue>g4R5y0+EgSCOsR/fgNzJeIOxPJI=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>ncCz34kkDcl+h+K6DHP/Cg1u03fLdCbm+6VBjQEv/mbRQvpIsf9M+3GajKcuKm0H+jP0c3Oo7IkSQw4SjWxfezd3KmSLVWvFVg5MPlJ2a4udEAyLAxlRoqbVZ9PBOtZ1m9d0vfMdj6S1w+ckyWeoCc5t7S17WrPrbFpZRybixeNuXZOvFCnkOfrpjvcdwPZmVuwB9858vRHZch3kDt2qJ+UjTPekmexXnx87JzrXHJv7Wz7oUya8F7uN5tRTgvUV+4e5dijsWZMTgXVnwtlQstMZ8KCaxRdyz/71SzkKcaWKAZfbnXRkGg0KR6h2IikNeNPiguzQmYzKDA1S9dHeTQ==</dsig:SignatureValue>
<dsig:KeyInfo>
<dsig:X509Data>
<dsig:X509Certificate>MIID1jCCAz+gAwIBAgICCB4wDQYJKoZIhvcNAQEFBQAwgZ0xCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBxMHUmFsZWlnaDEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjELMAkGA1UECxMCSVMxFjAUBgNVBAMTDVJlZCBIYXQgSVMgQ0ExJjAkBgkqhkiG9w0BCQEWF3N5c2FkbWluLXJkdUByZWRoYXQuY29tMB4XDTEzMDMxOTIzNDU0NloXDTE1MDMxOTIzNDU0NlowgZsxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEWMBQGA1UEChMNUmVkIEhhdCwgSW5jLjEfMB0GA1UECxMWSW5mb3JtYXRpb24gVGVjaG5vbG9neTESMBAGA1UEAxMJU2hhZG93bWFuMSYwJAYJKoZIhvcNAQkBFhdzeXNhZG1pbi1yZHVAcmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOxWX//OxKYcYHF7mlaG6wjMW9U5q4pRxzpPceOhqXtxltABtb/4WqWmwbuqGPDfz6FEF4zdPZ3BMpp+m2KmDyUd9TqRcZTqTqJg/+Xsdy8FV/WoqrBlCaH2BEzFgdHSZw2okhgVlui3l1utKNMvnsl5TSa2b5+KyNmMkRZ3EOBlPyZMH+2eWlmHQZvwqVtYyd/uA9+oVAvcUjtnZqPomLiCibPyVukpONx9JdOR5oiVPndCdyVnsg+yTDNMJ73yrTU14jvO47Hy39E9+MjGOGb95i7jkIZe6vFu/4voeNJQT7VabqE8iE0jhyU0BHkZV0qGbwknipmBzKp6C2y5Yc0CAwEAAaOBoDCBnTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUMMy5gw3OtRTSLfum1YaoFOcP3iUwHwYDVR0jBBgwFoAUDawZcO0Ep154q/6LqDTrISbBVjUwIgYDVR0RBBswGYEXc3lzYWRtaW4tcmR1QHJlZGhhdC5jb20wDQYJKoZIhvcNAQEFBQADgYEAEnq36DPdlHIb1HoE89cF87WVHtPiqXlDv73N6GONo5KQAWTXh86z4JPKDfNBMpArz1bh6h2cmerpEEuMLPzTJs1PvVkCZt8eO059PuSlZN/8xi6ZdkjBAHuWPm84C/WYrEPKTV71kXrt/UfG0pKsZcV5wpSLqoy2B5WhmfentR8=</dsig:X509Certificate>
</dsig:X509Data>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>7FZf/87EphxgcXuaVobrCMxb1TmrilHHOk9x46Gpe3GW0AG1v/hapabBu6oY8N/PoUQXjN09ncEymn6bYqYPJR31OpFxlOpOomD/5ex3LwVX9aiqsGUJofYETMWB0dJnDaiSGBWW6LeXW60o0y+eyXlNJrZvn4rI2YyRFncQ4GU/Jkwf7Z5aWYdBm/CpW1jJ3+4D36hUC9xSO2dmo+iYuIKJs/JW6Sk43H0l05HmiJU+d0J3JWeyD7JMM0wnvfKtNTXiO87jsfLf0T34yMY4Zv3mLuOQhl7q8W7/i+h40lBPtVpuoTyITSOHJTQEeRlXSoZvCSeKmYHMqnoLbLlhzQ==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
</dsig:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>dminnich</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="_eb9c6ba835d80e20f1f36c1ac0956fe24c474090a0"
NotOnOrAfter="2014-08-11T13:31:00.667Z"
Recipient="https://rewardzone.redhat.com/saml/acs"
/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2014-08-11T13:30:49.467Z"
NotOnOrAfter="2014-08-11T13:31:00.667Z"
>
<saml:AudienceRestriction>
<saml:Audience>https://rewardzone.redhat.com/saml/spMetadata</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-08-11T13:30:51.468Z"
SessionIndex="ID_0ec528d8-a732-4b14-9ac6-7149fbe0acca"
>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Contingent Worker</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Users</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>authenticated</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Role">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>devlab-tower-iam-access</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement>
<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
FriendlyName="uid"
Name="urn:oid:0.9.2342.19200300.100.1.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
x500:Encoding="LDAP"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>dminnich</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
FriendlyName="sn"
Name="urn:oid:2.5.4.4"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
x500:Encoding="LDAP"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Minnich</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute FriendlyName="rhatPersonType"
Name="rhatPersonType"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Contingent Worker</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
FriendlyName="cn"
Name="urn:oid:2.5.4.3"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
x500:Encoding="LDAP"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Dustin Minnich</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
FriendlyName="email"
Name="urn:oid:1.2.840.113549.1.9.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
x500:Encoding="LDAP"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>dminnich@redhat.com</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"
FriendlyName="givenName"
Name="urn:oid:2.5.4.42"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
x500:Encoding="LDAP"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>Dustin</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>

------
standalone-ha bits:
<security-domain name="RedHatSAMLIDP" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="optional">
<module-option name="password-stacking" value="useFirstPass" />
<module-option name="serverSecurityDomain" value="host" />
<module-option name="removeRealmFromPrincipal" value="true" />
<module-option name="debug" value="true" />
</login-module>

<login-module code="com.redhat.it.jboss.loginModules.JbossRadiusLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="hostName" value="linotp01.authmgr.prod.int.rdu2.redhat.com"/>
<module-option name="secondaryHostName" value="linotp01.authmgr.prod.int.ams2.redhat.com"/>
<module-option name="sharedSecret" value="NO"/>
<module-option name="authRoleName" value="authenticated"/>
<module-option name="authPort" value="1812"/>
<module-option name="acctPort" value="1813"/>
<module-option name="numRetries" value="3"/>
</login-module>
<!-- fake role login module - makes sure all authenticated users have a default role, otherwise jboss gets unhappy -->
<login-module code="com.redhat.it.jboss.loginModules.StaticRoleLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="authRoleName" value="authenticated"/>
</login-module>
<login-module code="com.redhat.it.jboss.loginModules.StaticRoleLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="authRoleName" value="Users"/>
</login-module>
</authentication>

<audit>
<provider-module code="org.picketlink.identity.federation.core.audit.PicketLinkAuditProvider"/>
</audit>
<mapping>
<mapping-module code="org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider" type="attribute">
<module-option name="java.naming.provider.url" value="ldaps://ldap01.intranet.dev.int.phx1.redhat.com"/>
<module-option name="bindDN" value="uid=picketlink,ou=serviceaccounts,dc=redhat,dc=com"/>
<module-option name="bindCredential" value="NO"/>
<module-option name="baseCtxDN" value="ou=users,dc=redhat,dc=com"/>
<module-option name="baseFilter" value="(uid=

{0})"/>
<module-option name="attributeList" value="mail,cn,givenName,sn,rhatPersonType,uid"/>
<module-option name="searchTimeLimit" value="10000"/>
</mapping-module>
<mapping-module code="org.jboss.security.mapping.providers.role.LdapRolesMappingProvider" type="role">
<module-option name="java.naming.provider.url" value="ldaps://ldap01.intranet.dev.int.phx1.redhat.com"/>
<module-option name="bindDN" value="uid=picketlink,ou=serviceaccounts,dc=redhat,dc=com"/>
<module-option name="bindCredential" value="NO"/>
<module-option name="rolesCtxDN" value="ou=users,dc=redhat,dc=com"/>
<module-option name="roleFilter" value="(uid={0}

)"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="searchTimeLimit" value="10000"/>
</mapping-module>
</mapping>

</security-domain>