We have a federation setup using SiteMinder 12.52 as IDP. We have a requirement to send user group membership information in an attribute, as part of SAML assertion to SP (which is outside client network), so that the SP can perform fine grained authorization. The issue is that SiteMinder send all the avaialble user groups assigned to the user in the assertion, we want to send only specific user groups (needed by the SP) based on custom criteria - for example a simple criteria could be groups which are assigned to the user and contains particular application name in the group dn.
We are using Partnership model and the only options that I see there while setting the Assertion Attributes are : Static, User Attribute, Session Attribute, DN Attribute and Expression. If I use User Attribute, I do not see any additional option where I can provide the custom query criteria.
Is there any way in the SiteMinder federation configuration to send only subset of the groups that are assigned to the user?