Netscaler SAML IDP: LDAP Group extraction is not working if user is part of large number of groups

Netscaler SAML IDP: LDAP Group extraction is not working if user is part of large number of groups

book

Article ID: CTX208007

calendar_today

Updated On:

Description

In a scenario where NetScaler is acting as the SAML IDP and there is a SP present in the internal network, When a user authenticates with userprincipalname user groups are not retrieved if user is member of more groups ( in this case user is part of 45 groups). If the user is part of few( tested with 5) groups extraction if fine.

Resolution

This issue has been filed as a new feature request 0593177 and this would be part of the 11.1 major release, which is scheduled for Q2 2016 end release

Problem Cause

This issue is not with the number of groups instead it is with number of characters in the group name that lead to the problem. As per the logs permissible length for attributes is 1225.
In the NS logs we see the following log during the issue:
Sep 11 11:46:06 <local0.info> 127.0.0.2 11/09/2015:11:6:06  amu321 0-PPE-0 : default AAATM Message 587749 0 :  "SAMLIDP: SendAssertion: Extracted attribute's length is greater than permissible length, 1225

Powered by Wolken Software