How can I filter Group DN's to only have the value of the CN?

book

Article ID: 104915

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We're running Policy Server in Federation, and when the Assertion Generator creates the saml response the group attribute has a long list of group names that contain the full DN.

Example: 
CN=admins,OU=Groups,DC=siteminder,DC=com^CN=helpdesk,OU=Groups,DC=siteminder,DC=com

How can we only return the value of the CN for the group DN?

Environment

Release: MSPJBO99000-12.52-Single Sign-On-Agent for JBoss-for MSP
Component:

Resolution

The way that you can get just the CN value of the group membership attribute is by making a Custom attribute in the User Directory. To do this, you will need to do the following: 

1) Go to the User Directory the Users are members of. 
2) Go to the Attribute Mapping Section and click Create. 
3) Give a name to the new Virtual Attribute. 
4) In the Definition field, enter the following: 
FILTER( GET('memberOf') , '(?<=CN=)(.*)(?=,OU)' ) 

NOTE: This will Filter the Users Group Memberships down to just the value of the CN for the group DN. You may also need to replaced the OU with the proper type of container that the group is part of. For example, the Full DN above in the description (CN=admins,OU=Groups,DC=siteminder,DC=com) had no Groups OU and just the DC (CN=admins,DC=siteminder,DC=com), then OU would be replaced with DC.
Or you can come up with your own Regex to do a custom filter, this is just an example.

5) In the Federation Partnership, for the attribute value, Select User Attribute, and enter the Virtual Attributes name that you gave it in Step 3 

This will tell the Policy Server to get the Virtual Attribute and calculate its value to be used in the Assertion. 

Additional Information

Basically, you have two arguments for FILTER(), the first is the value that you want to filter, and the second is the Regular Expression string to use to perform the filter. 

We use GET() to fetch the users attribute and its result will be the string that we are going to filter. 

Once FILTER() is done processing the string, it will return its result from the RegEx string '(?<=CN=)(.*)(?=,OU)'

How I came up with the RegEx string was to test with a RegEx tester site https://regexr.com/ and try and come up with a regex string that would only return the value of the CN of a Group DN. 

Expressions Documentation:

FILTER() : https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/policy-server-configuration/attributes-and-expressions-reference/operators#Operators-FILTERFunction--TestSetElements

GET() :  https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/policy-server-configuration/attributes-and-expressions-reference/operators#Operators-GETFunction--LocateAttributesinaUserDirectory