Attribute value added multiple times to retained value set if multiple policies permit the same values

Fixed in rev 1006

The behavior in the IDP is described in this bug entry, it's when multiple policies release the same attribute.

The point is that the SP cannot tell that, and cannot assume anything about the meaning of multiple identical values because that is not supported by SAML. They could be duplicates or they could be meaningful, and unless you get guarantees outside of the standard, neither is presumed.

Hi Scott, Chad,

Just a final question: are we talking about duplicate values WHEN the underlying IdMS (LDAP) already returns multiple values - or is it that the IdP could be duplicating a single value returned by the underlying LDAP? Even in a case when the IdP is configured to simply return the value resolved from LDAP? Or would the duplication occur only in complex IdP setups?

I'm asking from the point of view whether the duplication potentially affects our use of the IdP - and what kinds of situation could be causing it.

Thanks for bearing with me.

Cheers,
Vlad

Yes, per previous comment, that is exactly what Scott means. That has always been true, irrespective of this bug. SAML simply doesn't guarantee what you're asking it to, so there is in fact no way to handle such a case explicitly vs. accidentally.

Halm, that is correct.

Vlad, applications must be prepared to deal with duplicate values, period. There are countless ways in which duplicate values might occur. Any given individual may think a particular subset of those ways is incorrect and a different subset is okay. Other individuals will have a different view. But at the end of the day, the SP has to deal with it.