Custom assertion attribute to only return specific group in SAML

search cancel

Custom assertion attribute to only return specific group in SAML

book

Article ID: 374824

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

The attribute 'memberOf' in the directory will have multiple values associated with different application access user is provisioned with. So we want to customize the value to hold only the role specific to the application to which we are sending the SAML response, only the group name, not including 'CN=', etc.

Resolution

This can be done by mapping the attribute with expression,

RDN(BEFORE(STRING(FILTER(SM_USERGROUPS, <pattern>)),'^'))

The <pattern> is identical for specific group, the expression will return the first matched group, or empty if not found.

for example,

The reusult will look like,

<ns2:Attribute Name="memberof" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>Backup Operators</ns2:AttributeValue>
</ns2:Attribute>

Additional Information

Expression operators,

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/attributes-and-expressions-reference/operators.html

Feedback

thumb_up Yes

thumb_down No