This article tackles a common issue that can occur when a Secure Assertion Markup Language (SAML) attribute statement is configured without a value within the SAML settings. This results in a SAML assertion that fails to properly close the attribute statement for the specified attribute, thus causing an SSO error upon receipt of the SAML response by the Service Provider.

Okta Attribute SAML Settings:

 

SAML Assertion:

 
 

• Secure Assertion Markup Language (SAML)
• Single Sign On (SSO)
• App Integration Wizard
• Okta Classic Engine

The source of this issue lies in the adherence to the OASIS SAML specifications, which permits such configurations and, as such, is implemented by design. The specific schema is denoted as:

<complexType name="AttributeType">
    <sequence>
        <element ref="saml:AttributeValue" minOccurs="0" maxOccurs="unbounded"/>
    </sequence>
</complexType>

There are two potential solutions for this problem, which will depend on the expectations of the Service Provider:

• If the Service Provider anticipates a value for the specific SAML Attribute statement, ensure to include a value within the SAML settings.
• Conversely, if the Service Provider does not expect that specific Attribute statement to be transmitted, remove the statement from the SAML settings.