How to pass only cn from user groups as assertion attribute
search cancel

How to pass only cn from user groups as assertion attribute

book

Article ID: 207082

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

User belongs to Group1 and Group2.

This group names need to be included in the assertion as user attributes.

But the goal is to send only the CN value of the groups as it can be lengthy.

 

How do I send the following

  <ns2:Attribute Name="SM_USERGROUPS" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <ns2:AttributeValue>xxx_DEFAULT_Access</ns2:AttributeValue>
                <ns2:AttributeValue>yyy_ALL</ns2:AttributeValue>
                [...]
   </ns2:Attribute>

instead of 

   <ns2:Attribute Name="SM_USERGROUPS" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <ns2:AttributeValue>cn=xxx_DEFAULT_Access,ou=myTeam,ou=Group,dc=training,dc=com</ns2:AttributeValue>
                <ns2:AttributeValue>cn=yyy_ALL,ou=myTeam,ou=Group,dc=training,dc=com</ns2:AttributeValue>
                [...]
   </ns2:Attribute>

 

Resolution

Step1: Create a Virtual Attribute that will return all groups the user is a member of.

At the User Directory Definition, there is "Attribute Mapping List", click on "Create" button.

Give it a name, in this sample the virtual attribute name is called "FILTERGRP"

Select "Expression" radio button and enter the following expression in the "Definition" box.

ENUMERATE(SM_USERGROUPS, STRING(RDN(STRING(%0), FALSE)))

Click "OK" to save.

 

Step2: Update your Federation Partnership

Deactivate the partnership and goto "Assertion Configuration".

There are 2 ways you can send the group names in the assertion.

With 1 element: You will send one line of groups with "^" as separator. Note the "Type: User Attribute" and "Value: FILTERGRP"

            <ns2:Attribute Name="Groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <ns2:AttributeValue>PAM-Admin-Group^PAM-Admins^VIP Admin Group</ns2:AttributeValue>
            </ns2:Attribute>

 

With multiple elements: You will have separate lines per group.

Note the "Type: User Attribute" and "Value: FMATTR:FILTERGRP" field.

            <ns2:Attribute Name="Groups2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <ns2:AttributeValue>PAM-Admin-Group</ns2:AttributeValue>
                <ns2:AttributeValue>PAM-Admins</ns2:AttributeValue>
                <ns2:AttributeValue>VIP Admin Group</ns2:AttributeValue>
            </ns2:Attribute>

Powered by Wolken Software