How SharePoint 2010 handles multi-valued claims?

Recently ran into an issue with how to handle multi-values coming in via custom claims.

For e.g.
if Idp (ADFS, SiteMinder, RSA FIM) uses AD LDS or AD, then in most environments, we would want to reuse the AD security groups for authorization
within SharePoint.

SharePoint 2010 will handle multi-valued claims depending upon how it gets multi-value claimed from Idp.

For e.g. if SAML payload from Idp (for e.g. ADFS, SiteMinder, RSA FIM etc) is in the format listed below, then SharePoint will treat claim value "Value1, Value2" as one claim

<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="groups">

<saml:AttributeValue>Value1, Value2</saml:AttributeValue>

</saml:Attribute>

To treat multi-values claims as separate claims, SharePoint needs to get multi valued SAML payload either as

<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="groups">

<saml:AttributeValue>Value1</saml:AttributeValue>

<saml:AttributeValue>Value2</saml:AttributeValue>

</saml:Attribute>

or

<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="groups">

<saml:AttributeValue>Value1</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AttributeNamespace="http://schemas.xmlsoap.org/claims" AttributeName="groups">

<saml:AttributeValue>Value2</saml:AttributeValue>

</saml:Attribute>

 

For above SAML payload, SharePoint will convert above incoming multi-valued claims into individual claims (within SharePoint)

For e.g.

SharePoint Claims Web Part

The following claims were found in this request:

 

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

XXX

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

XXX

http://schemas.microsoft.com/ws/2008/06/identity/claims/role

Value1

http://schemas.microsoft.com/ws/2008/06/identity/claims/role

Value2

 

Hope this helps