How to pass only cn from user groups as assertion attribute
search cancel

How to pass only cn from user groups as assertion attribute


Article ID: 207082


Updated On:


SITEMINDER CA Single Sign On Federation (SiteMinder)


User belongs to Group1 and Group2.

This group names need to be included in the assertion as user attributes.

But the goal is to send only the CN value of the groups as it can be lengthy.


How do I send the following

  <ns2:Attribute Name="SM_USERGROUPS" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

instead of 

   <ns2:Attribute Name="SM_USERGROUPS" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">



Step1: Create a Virtual Attribute that will return all groups the user is a member of.

At the User Directory Definition, there is "Attribute Mapping List", click on "Create" button.

Give it a name, in this sample the virtual attribute name is called "FILTERGRP"

Select "Expression" radio button and enter the following expression in the "Definition" box.


Click "OK" to save.


Step2: Update your Federation Partnership

Deactivate the partnership and goto "Assertion Configuration".

There are 2 ways you can send the group names in the assertion.

With 1 element: You will send one line of groups with "^" as separator. Note the "Type: User Attribute" and "Value: FILTERGRP"

            <ns2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <ns2:AttributeValue>PAM-Admin-Group^PAM-Admins^VIP Admin Group</ns2:AttributeValue>


With multiple elements: You will have separate lines per group.

Note the "Type: User Attribute" and "Value: FMATTR:FILTERGRP" field.

            <ns2:Attribute Name="Groups2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <ns2:AttributeValue>VIP Admin Group</ns2:AttributeValue>