how to pass only cn from user groups as assertion attribute

book

Article ID: 207082

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

We're running a Policy Server for serve Federation journeys and we'd
like to know how to set the AttributeValue for Attribute Name
"SM_USERGROUPS" by conserving only the cn part of each data returned.

We'd like to get the assertion attribute set that way :

  <ns2:Attribute Name="SM_USERGROUPS" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <ns2:AttributeValue>cn=xxx_DEFAULT_Access</ns2:AttributeValue>
                <ns2:AttributeValue>cn=yyy_ALL</ns2:AttributeValue>
  [...]
   </ns2:Attribute>

instead of 

   <ns2:Attribute Name="SM_USERGROUPS" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <ns2:AttributeValue>cn=xxx_DEFAULT_Access,ou=myTeam,ou=Group,dc=training,dc=com</ns2:AttributeValue>
                <ns2:AttributeValue>cn=yyy_ALL,ou=myTeam,ou=Group,dc=training,dc=com</ns2:AttributeValue>
                [...]

   </ns2:Attribute>

How can we do this ?

 

Resolution

 

At first glance, using Expression for the configuration of the
Attribute will help you to do that.

One of our community thread has been raised for a very similar
request, and using expression in the configuration helps to get
something close to your needs :

  Send only subset of the groups in the SAML assertions

    We tried by creating a virtual Attribute Mapping (using expression
    shown below) in User Directory to filter a set of groups. Then in
    the SAML Attribute section, used FMATTR:VirtualAttributeName to send
    filtered groups in separate attribute value.

    Name: GroupNames

    Expression: Filter(ENUMERATE(Get('memberOf'),STRING(RDN(STRING(%0),FALSE))),'*Application1*')

    Used FMATTR in federation partnership to send values in separate
    attribute values.

    [...]  

    Got below Output

    <ns2:Attribute Name="GroupNames"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

    <ns2:AttributeValue>Application1-Group1</ns2:AttributeValue>
    <ns2:AttributeValue>Application1-Group2</ns2:AttributeValue>

    [...]

  https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=324d0f9b-c4c8-4104-81a9-dedd54ba95dc&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=digestviewer#bm324d0f9b-c4c8-4104-81a9-dedd54ba95dc