Symantec Access Management

  • 1.  CA SSO : Is there a way we can separate multi valued attribute using comma (,) instead of caret (^)?

    Posted Feb 08, 2018 02:36 PM

    Reference Thread : https://communities.ca.com/message/242041935-re-send-only-subset-of-the-groups-in-the-saml-assertions?commentID=242041935&et=watches.email.thread#comment-242041935

     

    Opened on behalf of Himavanth Himavanth.Ganta

     

    Question

    Is there a way we can separate multi valued attribute using comma (,) instead of caret (^)?

     

    Regards,

    Himavanth



  • 2.  Re: CA SSO : Is there a way we can separate multi valued attribute using comma (,) instead of caret (^)?
    Best Answer

    Posted Feb 08, 2018 02:43 PM

    Himavanth Himavanth.Ganta

     

    What is your use case ? I am guessing it is not SAML, because in SAML it would be in different tags.

     

    An OOB CA SSO Response sends multi-valued attributes separated by '^'.

     

    Yes that can be replaced by ','.

     

    e.g.

     

    Expression
    TRANSLATE(ENUMERATE(SM_USERNESTEDGROUPS, STRING(RDN(STRING(%0), FALSE))),'^',',',TRUE)

     

    https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/policy-server-configuration/attributes-and-expressions-reference/operators#Operators-TRANSLATEFunction--ReplaceStringValue



  • 3.  Re: CA SSO : Is there a way we can separate multi valued attribute using comma (,) instead of caret (^)?

    Posted Feb 08, 2018 03:21 PM

    Hi Hubert HubertDennis

     

    Yes, this is for SAML response. 

     

    I tried using TRANSLATE function as per the documentation but didn't add TRUE at the end of the expression.

     

    The above expression that you provided is working as expected for SAML response. Thanks for the suggestion.

     

    Regards,

    Himavanth



  • 4.  RE: Re: CA SSO : Is there a way we can separate multi valued attribute using comma (,) instead of caret (^)?

    Posted Oct 08, 2019 08:15 PM
    Hi Hubert,

    Can you help me with this?  Here is my current expression which works, but I need to have the comma delimited rather than the default carrot:

    Filter(ENUMERATE(memberOf, STRING(RDN(STRING(%0), FALSE))), '*jira*')

    Much thanks in advance!​


  • 5.  RE: Re: CA SSO : Is there a way we can separate multi valued attribute using comma (,) instead of caret (^)?

    Broadcom Employee
    Posted Oct 09, 2019 02:48 AM
    Hi Duc,

    Unfortunatly, to seperate LDAP groups is not possible using comas
    instead of carets :

    How to customize a virtual attribute in a federation with use of OIDC
    https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=121383

    Which separators does the Policy Server uses when it gets the user's group list?
    https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=16637

    I hope this helps,

    Best Regards,
    Patrick


  • 6.  RE: Re: CA SSO : Is there a way we can separate multi valued attribute using comma (,) instead of caret (^)?

    Posted Oct 09, 2019 11:50 AM

    Hello Patrick, thank you for your response, but I think you might have miss understood my question because ​it appears that @Legacy User originally posted this question and @HubertDennis responded with a solution. But since I posted this question last night, I continued all night trying to make my expression work based on Hubert's solution below and eventually gotten it to work!

    This is Hubert's solution:

    TRANSLATE(ENUMERATE(SM_USERNESTEDGROUPS, STRING(RDN(STRING(%0), FALSE))),'^',',',TRUE)

    This is the final expression combining my attribute expression with Hubert's expression to get SiteMinder to query the "memberOf" AD attribute and pull only AD groups matching this wildcard filter *Availity* and return only the CN value of those groups separated by commas:

    TRANSLATE (Filter(ENUMERATE(memberOf, STRING(RDN(STRING(%0), FALSE))), '*Availity*'),'^',',',TRUE)

    Below is the SAML attribute result:
    <ns2:Attribute Name="EX_memberOf-wildcard-comma-separated"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
    > <ns2:AttributeValue>Availity_InsightReportPkg_Prod,Availity_CareManagement_Prod,Availity_Customer-Provider_Prod,Availity_InsightReportPkg_QA,Availity_CareManagement_QA,Availity_Customer-Provider_QA</ns2:AttributeValue>

    I think this is probably one of the most frequently asked question for all SiteMinder users when it comes to expression attributes because it is probably one of the most common needs for all organizations out there to pass multiple AD/LDAP group membership via SAML attributes or HTTP request header and separate the values by commas.  I really don't understand why SiteMinder's default attribute delimiter is a carrot "^" sign rather than a comma because I don't think we've encountered anyone out there that required the delimiter to be anything other than commas.