Example of how to pass a user's group membership in an assertion attribute
Article ID: 369719
Updated On:
Products
Issue/Introduction
Partners often request data like a user's LDAP group membership be passed in the assertion. Rather than sending all of the user's group which can be quite large, they may just want a certain subset.
Environment
Applicable to 12.8.x
Applicable to any OS
Resolution
An easy way to do this is to use an Attribute Mapping in User Directory properties and have an expression filter out the name of the group required.
1) Go to the User Directory and modify it
2) At the bottom of the properties page, click to Create an Attribute Mapping
3) Enter information similar to below
This example will filter all the LDAP groups in memberOf for the user and return the ones that contain "employee"
4) Click OK and then Submit to update the User Directory with the new Attribute Mapping named "CheckEmployeeGroup"
5) Now in the Partnership, under the Assertion Attributes section, add a new User Attribute using the name "CheckEmployeeGroup".
6) Save the Partnership
7) Now test the Partnership and verify that in the assertion for the attribute EmpGroup the user's LDAP group membership shows if they belong to a group containing employee or null if they don't.
Note 1 - Names can be altered as desired
Note 2 - Once the Partnership is using the mapped attribute, in the future you can avoid having to alter the partnership and simply update the mapped attribute's expression
Feedback
