Symantec Access Management

  • Private Community

  • 1.  How to pass filtered AD groups in SAML?

    Posted Nov 28, 2017 05:05 AM

    Hi, 

     

    Is there any way to pass filtered AD groups in SAML? For an example the user is part of 10 AD groups and I need to pass only the application specific Groups in SAML.

     

    I think AGP - Assertion Generator Plugin is the way but can we use expression JEUL to achieve this? 

     

    ENV:

     

    Siteminder R12.52 SP1 CR 05

    Partnership federation

    SPS is used 



  • 2.  Re: How to pass filtered AD groups in SAML?

    Posted Dec 04, 2017 04:54 AM

    Hi Ram,

     

    Please refer below KB article.

    Juel Expressions in SAML Assertions 

     

    Thanks,
    Sharan



  • 3.  Re: How to pass filtered AD groups in SAML?

    Posted Dec 04, 2017 09:34 AM

    If we want to do filtering of groups outside of SAML Partnership and then use it within the SAML Partnership, it could be done as follows. There have been multiple usecases discussed in this one single thread.

     

    Send only subset of the groups in the SAML assertions 



  • 4.  Re: How to pass filtered AD groups in SAML?

    Posted Dec 05, 2017 02:52 PM

    I do it with a reused Assertion Plug-in. Each application has a dedicated group prefix, which is passed with plug-in parameters. The plug-in only leaves groups with that start with the prefix. 



  • 5.  Re: How to pass filtered AD groups in SAML?

    Posted Dec 05, 2017 04:47 PM

    Custom Assertion plugin can achieve complicated use case. However needs to be compiled with upgrades and maintained which adds to overhead.

     

    If Each Application has a dedicated group prefix, expression can filter using the prefix and send only the groups which match the prefix string. This is something to consider to migrate away from Custom AGP and use OOB feature.

     

    Here is an example from the thread https://communities.ca.com/thread/241696397; this would only return groups which match the string APP1 and APP2, instead of returning all groups which user belongs to. 

     

    Create Attribute Mapping (Virtual Attribute) using this Expression
    Filter(ENUMERATE(Get('isMemberOf'), STRING(RDN(STRING(%0), FALSE))), '*APP1*') + "^" + Filter(ENUMERATE(Get('isMemberOf'), STRING(RDN(STRING(%0), FALSE))), '*APP2*')