Hi, Miguel. Could you provide LDIF dump of this "MiguelUser" user entry? Also, could you provide SAML and SCIM results which you consider correct, for clarity?

Glad you asked! ##LDIF: ``` dn: inum=@!037F.7407.DCC3.D36D!0001!38C4.7E97!0000!37BA.B282.B251.6337,ou=pe ople,o=@!037F.7407.DCC3.D36D!0001!38C4.7E97,o=gluu objectClass: gluuPerson objectClass: top cn: Miguel MiguelUser displayName: MiguelUser givenName: Miguel gluuStatus: active iname: *person*miguelUser inum: @!037F.7407.DCC3.D36D!0001!38C4.7E97!0000!37BA.B282.B251.6337 mail: left@right.com oxCreationTimestamp: 20170712201034.582Z oxLastLogonTime: 20170727212830.222Z oxTrustEmail: {"operation":null,"value":"left@right.com","display":"left@rig ht.com","primary":true,"reference":null,"type":"other"} oxTrustMetaLastModified: 2017-07-27T19:57:16.477Z oxTrustMetaLocation: /scim/v2/Users/@!037F.7407.DCC3.D36D!0001!38C4.7E97!000 0!37BA.B282.B251.6337 role: course_officer role: member uid: miguelUser updatedAt: 20170727195716.477Z userPassword:: XXXX dn: ou=clientAuthorizations,inum=@!037F.7407.DCC3.D36D!0001!38C4.7E97!0000!3 7BA.B282.B251.6337,ou=people,o=@!037F.7407.DCC3.D36D!0001!38C4.7E97,o=gluu objectClass: organizationalUnit objectClass: top ou: clientAuthorizations ``` ##SimpleSAML rendering of the XML response with the roles Noticed that its rendered as an array as expected. I can show on other systems too but I figure this is enough  ##SCIM output when asking for the same user: ``` { "id": "@!037F.7407.DCC3.D36D!0001!38C4.7E97!0000!37BA.B282.B251.6337", "externalId": null, "meta": { "created": null, "lastModified": "2017-07-27T19:57:16.477Z", "location": "https://auth.cps-ecp.dev.innovexa.com/identity/seam/resource/restv1/scim/v2/Users/@!037F.7407.DCC3.D36D!0001!38C4.7E97!0000!37BA.B282.B251.6337", "version": null, "resourceType": "User" }, "schemas": [ "urn:ietf:params:scim:schemas:extension:gluu:2.0:User", "urn:ietf:params:scim:schemas:core:2.0:User" ], "userName": "miguelUser", "name": { "formatted": "Miguel Mendez", "familyName": "Mendez", "givenName": "Miguel", "middleName": null, "honorificPrefix": null, "honorificSuffix": null }, "displayName": "MiguelUser", "nickName": null, "profileUrl": null, "title": null, "userType": null, "preferredLanguage": null, "locale": null, "timezone": null, "active": null, "password": "Hidden for Privacy Reasons", "emails": [ { "operation": null, "value": "left@right.com", "display": "left@right.com", "primary": true, "reference": null, "type": "other" } ], "phoneNumbers": [], "ims": [], "photos": [], "addresses": [], "groups": [], "entitlements": [], "roles": [], "pairwiseIdentitifers": [], "x509Certificates": [], "urn:ietf:params:scim:schemas:extension:gluu:2.0:User": { "role": [ "course_officer", "member" ], "gluuStatus": "active" } } ```

I can confirm it's like this. Doesn't seem right, indeed. Assigning to Javier to review. For some reason it combines several values of multivalued attribute in one string. I believe some like this already was discussed before, so may be it's fixed in upcoming CE 3.1

If you really need to fix it right away, Miguel, you could try to use a dynamic scope script approach as a workaround. You should be able to send the value you need in the userinfo response this way. Though there is no guarantee the issue won't be there too.

I'm not in dire need of it. We have a fairly small deployment so we already have a workaround for it, it's more for you guys and for the other people who probably don't post on these forums, haha. As always thanks for the fast response!

Thanks Miguel. Created a github [issue](https://github.com/GluuFederation/oxAuth/issues/600).