From 4f4854f3076a2481cca80a658c56a20cc16ec82a Mon Sep 17 00:00:00 2001
From: piraveena <piraveena18@gmail.com>
Date: Mon, 10 Jun 2024 12:39:01 +0530
Subject: [PATCH] Introduce config to send unsplitted SAML multi valued
 attributes

---
 .../identity/sso/saml/SAMLSSOConstants.java   |  1 +
 .../DefaultSAMLAssertionBuilder.java          | 22 +++++++++++++------
 .../identity/sso/saml/util/SAMLSSOUtil.java   | 19 ++++++++++++++++
 3 files changed, 35 insertions(+), 7 deletions(-)

diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
index bbb0897a..5657c8c5 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/SAMLSSOConstants.java
@@ -70,6 +70,7 @@ public class SAMLSSOConstants {
     public static final String SAML_SP_CERTIFICATE_EXPIRY_VALIDATION_ENABLED = "SSOService.SAMLSPCertificateExpiryValidationEnable";
     public static final String SAML_IDP_INIT_LOGOUT_RESPONSE_SIGNING_ENABLED = "SSOService.SAMLIdpInitLogoutResponseSigningEnabled";
     public static final String SAML_ASSERTION_ENCRYPT_WITH_APP_CERT = "SSOService.SAMLAssertionEncyptWithAppCert";
+    public static final String SEPARATE_MULTI_ATTRS_FROM_IDPS_USING_ATTRIBUTE_SEPARATOR = "SSOService.SeparateMultiAttributesFromIdP";
     public static final String START_SOAP_BINDING = "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\">" +
             "<SOAP-ENV:Body>";
     public static final String END_SOAP_BINDING = "</SOAP-ENV:Body>" +
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/builders/assertion/DefaultSAMLAssertionBuilder.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/builders/assertion/DefaultSAMLAssertionBuilder.java
index 4ecacf97..ae7ce53c 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/builders/assertion/DefaultSAMLAssertionBuilder.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/builders/assertion/DefaultSAMLAssertionBuilder.java
@@ -340,15 +340,23 @@ protected AttributeStatement buildAttributeStatement(Map<String, String> claims)
         String claimSeparator = claims.get(IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR);
         String userAttributeSeparator;
         if (StringUtils.isNotBlank(claimSeparator)) {
-            userAttributeSeparator = claimSeparator;
-        } else {
             /*
-             * In the SAML outbound authenticator, multivalued attributes are concatenated using the primary user
-             * store's attribute separator. Therefore, to ensure uniformity, the multi-attribute separator from
-             * the primary user store is utilized for separating multivalued attributes when MultiAttributeSeparator
-             * is not available in the claims.
+            If there are any sp requested claims, then the multi attribute separator claim will be available.
              */
-            userAttributeSeparator = FrameworkUtils.getMultiAttributeSeparator();
+            userAttributeSeparator = claimSeparator;
+        } else {
+            if (!SAMLSSOUtil.separateMultiAttributesFromIdPEnabled()) {
+                userAttributeSeparator = IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR_DEFAULT;
+            } else {
+                /*
+                 * In the SAML outbound authenticator, multivalued attributes are concatenated using the primary user
+                 * store's attribute separator. Therefore, to ensure uniformity, the multi-attribute separator from
+                 * the primary user store is utilized for separating multivalued attributes when MultiAttributeSeparator
+                 * is not available in the claims.
+                 */
+                userAttributeSeparator = FrameworkUtils.getMultiAttributeSeparator();
+            }
+
         }
         claims.remove(IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR);
         claims.remove(FrameworkConstants.IDP_MAPPED_USER_ROLES);
diff --git a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtil.java b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtil.java
index 20caacb0..c0a36a22 100644
--- a/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtil.java
+++ b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/util/SAMLSSOUtil.java
@@ -2756,4 +2756,23 @@ public static boolean isSAMLIdpInitLogoutResponseSigningEnabled() {
         return Boolean.parseBoolean(IdentityUtil.getProperty(
                 SAMLSSOConstants.SAML_IDP_INIT_LOGOUT_RESPONSE_SIGNING_ENABLED));
     }
+
+    /**
+     * SeparateMultiAttributesFromIdP config is used to separate the multi-valued attributes sent from the IdPs.
+     * This config is used when the SP doesn't request any claim in IS, and all the claims from the IdP are passed
+     * to the SP.
+     *
+     * @return false if 'separateMultiAttributesFromIdP' config is disabled. By default, this config is enabled in the
+     * product.
+     */
+    public static boolean separateMultiAttributesFromIdPEnabled() {
+
+        String separateMultiAttributesFromIdPEnabledConfig = IdentityUtil.getProperty(
+                SAMLSSOConstants.SEPARATE_MULTI_ATTRS_FROM_IDPS_USING_ATTRIBUTE_SEPARATOR);
+        if (StringUtils.isNotEmpty(separateMultiAttributesFromIdPEnabledConfig)) {
+            return Boolean.parseBoolean(separateMultiAttributesFromIdPEnabledConfig);
+        } else {
+            return true;
+        }
+    }
 }