OpenAM SAML attributes not returned when using Dynamic user profile?

This topic has 9 replies, 6 voices, and was last updated 6 years, 3 months ago by Peter Major.

  • Author
  • #6923


    I’ve come across an issue where SAML attributes are not being returned to the SP when the user profile setting is set to Dynamic. When set to Required (and an account exists) attributes are returned correctly. When set to Dynamic the account gets created in the data store, with attribute values assigned, but then no attributes are returned in the SAML response.

    I came across this message from someone also having the same issue. They were directed to the following bug however this seems to be related to not correctly setting the attribute values for the dynamicly created user. These are being set fine, just no attribute values returned in the SAML response, even for users who already exist in the data store.

    They were directed to the following bug:


    The IdP Attribute Mapper used by default does not load attributes from data stores / SSO session when ‘profile’ is set to ‘ignored’ or ‘dynamic’ in Core auth settings.

    You need to create your own implementation.

     Peter Major

    This is a bug IMO for quite a long while now, but nobody seemed to be annoyed by it enough to actually raise an issue about it in JIRA… Would be great to finally resolve this unnecessary limitation.


    I’m running into this same bug/issue. Not sure if I’m going about this in the right way.

    We’re using AD as a datastore but we don’t want to write to it. However if we set profile to Ignore/Dynamic, we can’t fetch the attributes and map them accordingly.

    If we set profile to Required, I believe openam tries to write these attributes (sun-fm-saml2-nameid-info, sun-fm-saml2-nameid-infokey) and fails since those attributes do not exist in AD.

    ERROR: An error occured while setting attributes for identity: testuser
    org.forgerock.opendj.ldap.ConstraintViolationException: No Such Attribute: 00000057: LdapErr: DSID-0C090CD6, comment: Error in attribute conversion operation, data 0, v2580


    It looks like I solved this using the “Disable NameID persistence” option.


    Hi, Im stuck with this exact same issue. Has it been fixed or is there any workaround for it?


    See my post above. My workaround was “Disable NameID persistence” so that OpenAM doesn’t attempt to write attributes to the datastore (AD)

     Peter Major

    I’ve raised . The workaround is to implement a custom IDPAttributeMapper implementation that works even when the profile mode is set to dynamic.


    Hi Peter,

    I once had this issue and I fixed this by returning false in a custom attribute mapper.

    package be.patches.federation;
    import com.sun.identity.saml2.plugins.DefaultLibraryIDPAttributeMapper;
    public class PatchIDPAttributeMapper extends DefaultLibraryIDPAttributeMapper
         * Constructor
        public PatchIDPAttributeMapper() {
         * Checks if dynamical profile creation or ignore profile is enabled.
         * @param realm realm to check the dynamical profile creation attributes.
         * @return true if dynamical profile creation or ignore profile is enabled,
         *     false otherwise.
        protected boolean isDynamicalOrIgnoredProfile(String realm) {
            return false;
     Peter Major

    Yeah, that will do the job, but for Ignored profile you really should be returning true. :)

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?