Hello Patrick, thank you for your response, but I think you might have miss understood my question because it appears that
@Legacy User originally posted this question and
@HubertDennis responded with a solution. But since I posted this question last night, I continued all night trying to make my expression work based on Hubert's solution below and eventually gotten it to work!
This is Hubert's solution:
TRANSLATE(ENUMERATE(SM_USERNESTEDGROUPS, STRING(RDN(STRING(%0), FALSE))),'^',',',TRUE)
This is the final expression combining my attribute expression with Hubert's expression to get SiteMinder to query the "memberOf" AD attribute and pull only AD groups matching this wildcard filter *Availity* and return only the CN value of those groups separated by commas:
TRANSLATE (Filter(ENUMERATE(memberOf, STRING(RDN(STRING(%0), FALSE))), '*Availity*'),'^',',',TRUE)Below is the SAML attribute result:
<ns2:Attribute Name="EX_memberOf-wildcard-comma-separated" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > <ns2:AttributeValue>Availity_InsightReportPkg_Prod,Availity_CareManagement_Prod,Availity_Customer-Provider_Prod,Availity_InsightReportPkg_QA,Availity_CareManagement_QA,Availity_Customer-Provider_QA</ns2:AttributeValue>I think this is probably one of the most frequently asked question for all SiteMinder users when it comes to expression attributes because it is probably one of the most common needs for all organizations out there to pass multiple AD/LDAP group membership via SAML attributes or HTTP request header and separate the values by commas. I really don't understand why SiteMinder's default attribute delimiter is a carrot "^" sign rather than a comma because I don't think we've encountered anyone out there that required the delimiter to be anything other than commas.
Original Message:
Sent: 10-09-2019 02:48 AM
From: Patrick Dussault
Subject: Re: CA SSO : Is there a way we can separate multi valued attribute using comma (,) instead of caret (^)?
Hi Duc,
Unfortunatly, to seperate LDAP groups is not possible using comas
instead of carets :
How to customize a virtual attribute in a federation with use of OIDC
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=121383
Which separators does the Policy Server uses when it gets the user's group list?
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=16637
I hope this helps,
Best Regards,
Patrick
Original Message:
Sent: 10-08-2019 08:15 PM
From: Duc Tran
Subject: Re: CA SSO : Is there a way we can separate multi valued attribute using comma (,) instead of caret (^)?
Hi Hubert,
Can you help me with this? Here is my current expression which works, but I need to have the comma delimited rather than the default carrot:
Filter(ENUMERATE(memberOf, STRING(RDN(STRING(%0), FALSE))), '*jira*')
Much thanks in advance!
Original Message:
Sent: 02-08-2018 02:42 PM
From: Hubert Dennis
Subject: Re: CA SSO : Is there a way we can separate multi valued attribute using comma (,) instead of caret (^)?
Himavanth Himavanth.Ganta
What is your use case ? I am guessing it is not SAML, because in SAML it would be in different tags.
An OOB CA SSO Response sends multi-valued attributes separated by '^'.
Yes that can be replaced by ','.
e.g.
Expression |
---|
TRANSLATE(ENUMERATE(SM_USERNESTEDGROUPS, STRING(RDN(STRING(%0), FALSE))),'^',',',TRUE) |
https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/policy-server-configuration/attributes-and-expressions-reference/operators#Operators-TRANSLATEFunction--ReplaceStringValue