# Old BehaviorThere was no way to tell whether or not a SAML attribute should

1. # Old Behavior
2.  
3. There was no way to tell whether or not a SAML attribute should be
4. rendered as an array or not. For example given the flowing SAML
5. attributes:
6.  
7. ```xml
8. <saml2:Attribute Name="faws/canAddAWSAccount">
9. <saml2:AttributeValue xsi:type="xs:string">true</saml2:AttributeValue>
10. </saml2:Attribute>
11. <saml2:Attribute Name="faws/991049284483">
12. <saml2:AttributeValue xsi:type="xs:string">fanatical_aws:admin</saml2:AttributeValue>
13. </saml2:Attribute>
14. <saml2:Attribute Name="faws/042423532529">
15. <saml2:AttributeValue xsi:type="xs:string">fanatical_aws:observer</saml2:AttributeValue>
16. <saml2:AttributeValue xsi:type="xs:string">RackspaceReadOnly</saml2:AttributeValue>
17. </saml2:Attribute>
18. ```
19.  
20. They would be rendered to JSON as follows:
21.  
22. ```json
23. {
24. "RAX-AUTH:extendedAttributes": {
25. "faws": {
26. "canAddAWSAccount":"true",
27. "991049284483": "fanatical_aws:admin",
28. "042423532529": [
29. "fanatical_aws:observer",
30. "RackspaceReadOnly"
31. ]
32. }
33. }
34. }
35. ```
36.  
37. The rule was that if an attribute contained a single value it would be
38. rendered as a single value string, if it contained multiple values it
39. would be rendered as an array. Unfortunately, `991049284483` was also
40. meant to be an array.
41.  
42. # New Behavior
43.  
44. We annotate attributes that should be multi-value with a
45. `mapping:multiValue` extension.
46.  
47. ```xml
48. <saml2:Attribute Name="faws/canAddAWSAccount" mapping:multiValue="false">
49. <saml2:AttributeValue xsi:type="xs:string">true</saml2:AttributeValue>
50. </saml2:Attribute>
51. <saml2:Attribute Name="faws/991049284483" mapping:multiValue="true">
52. <saml2:AttributeValue xsi:type="xs:string">fanatical_aws:admin</saml2:AttributeValue>
53. </saml2:Attribute>
54. <saml2:Attribute Name="faws/042423532529" mapping:multiValue="true">
55. <saml2:AttributeValue xsi:type="xs:string">fanatical_aws:observer</saml2:AttributeValue>
56. <saml2:AttributeValue xsi:type="xs:string">RackspaceReadOnly</saml2:AttributeValue>
57. </saml2:Attribute>
58. ```
59.  
60. Because it is a proper optional attribute extension, it should be
61. ignored by whoever processes the SAML assertion but it aids in the
62. conversion of the extended attributes to JSON. So new JSON looks like
63. this:
64.  
65. ```json
66. {
67. "RAX-AUTH:extendedAttributes": {
68. "faws": {
69. "canAddAWSAccount":"true",
70. "991049284483": [
71. "fanatical_aws:admin"
72. ],
73. "042423532529": [
74. "fanatical_aws:observer",
75. "RackspaceReadOnly"
76. ]
77. }
78. }
79. }
80. ```
81.  
82. Note that a side effect of the change is that the multiValue attribute
83. must also make its way to the XML version of the
84. `RAX-AUTH:exnededAttributes` extension.
85.  
86. ```xml
87. <RAX-AUTH:extendedAttributes>
88. <group name="faws">
89. <attribute name="canAddAWSAccount">
90. <value>true</value>
91. </attribute>
92. <attribute name="991049284483" multiValue="true">
93. <value>fanatical_aws:admin</value>
94. </attribute>
95. <attribute name="042423532529" multiValue="true">
96. <value>fanatical_aws:observer</value>
97. <value>RackspaceReadOnly</value>
98. </attribute>
99. </group>
100. </RAX-AUTH:extendedAttributes>
101. ```