Hello Everyone,
I had been monkeying around the past week tweaking all different possible ways of trying to accomplish this and folks here had helped gotten quite far but I am just about there.
What I need is to pass one SAML attribute which will contain only one of several possible user role values.
A) pass a SAML attribute name "UserRole"
B) Evaluate the user's "memberOf" AD attribute to see which of those three AD groups that the user belongs to and pass a corresponding role name:
(1) if user is member of AD group "org_manager" - - - > pass this role name value: "admin-user"
(2) if user is member of AD group "org_developer" - - - > pass this role value: "power-user"
(3) if user is member of AD group "org_employee" - - - > pass this role value: "user"
This expression works for me - - > GET('memberOf') CONTAINS ('org_manager') ? "admin-user" : ""
So with that expression I can pass the role value of "admin-user" in the SAML attribute if the user is a member of the "org_manager" AD group, but what if the user is a member of the "org_developer" of which I would need to pass the corresponding role value of "power-user" instead, and like wise if the user is a member of "org_employee" then I would need to pass the role value of "user".
I need to add onto this expression - - > GET('memberOf') CONTAINS ('org_manager') ? "admin-user" : "" so that it will evaluate the two other possible AD groups from memberOf, something like this:
GET('memberOf') CONTAINS ('org_manager') ? "admin-user" : "" + CONTAINS ('org_developer') ? "power-user" : "" + CONTAINS ('org_employee') ? "user" : ""
Would very much appreciate any help on figuring this out.
Thank you!