how to pass only cn from user groups as assertion attribute


Article ID: 207082


Updated On:





We're running a Policy Server for serve Federation journeys and we'd
like to know how to set the AttributeValue for Attribute Name
"SM_USERGROUPS" by conserving only the cn part of each data returned.

We'd like to get the assertion attribute set that way :

  <ns2:Attribute Name="SM_USERGROUPS" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

instead of 

   <ns2:Attribute Name="SM_USERGROUPS" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">


How can we do this ?




At first glance, using Expression for the configuration of the
Attribute will help you to do that.

One of our community thread has been raised for a very similar
request, and using expression in the configuration helps to get
something close to your needs :

  Send only subset of the groups in the SAML assertions

    We tried by creating a virtual Attribute Mapping (using expression
    shown below) in User Directory to filter a set of groups. Then in
    the SAML Attribute section, used FMATTR:VirtualAttributeName to send
    filtered groups in separate attribute value.

    Name: GroupNames

    Expression: Filter(ENUMERATE(Get('memberOf'),STRING(RDN(STRING(%0),FALSE))),'*Application1*')

    Used FMATTR in federation partnership to send values in separate
    attribute values.


    Got below Output

    <ns2:Attribute Name="GroupNames"