Symantec Access Management

  • Private Community

  • 1.  Passing a subset of the "memberOf", but a specific group attribute rather than the "CN" value

    Posted Jun 14, 2018 08:02 PM

    Hello Folks,

     

    Could someone help me figure out how to use SiteMinder attribute expressions to pass a specific AD group from the "memberOf" user attribute, but a specific group attribute other than the group CN value?

     

    Basically, if my user ID is a member of the "cn=HR_admin,ou=employee,ou=company,o=com", along with dozens of other AD groups that I am a member of, but I am only interested in the "HR_admin" group, also I want to pass the "groupType" value of the "HR_admin" group rather than it's "CN" value.

     

    Is there a way to with attribute expressions to tell SiteMinder to pass just the "groupType" attribute value of the "HR_admin" group from the "memberOf" user attribute?

     

    As always, much thanks in advance!



  • 2.  Re: Passing a subset of the "memberOf", but a specific group attribute rather than the "CN" value

    Posted Jun 15, 2018 02:08 AM

    Hi ,

     

    Refer : Send only subset of the groups in the SAML assertions  

     

    Regards,

    Leo Joseph.



  • 3.  Re: Passing a subset of the "memberOf", but a specific group attribute rather than the "CN" value

    Posted Jun 15, 2018 01:12 PM

    You should try the ENUMERATE and RDN functions.

    Something like ENUMERATE(SM_USERGROUPS, STRING(RDN(%0, FALSE)))

    Operators - CA Single Sign-On - 12.7 - CA Technologies Documentation 



  • 4.  Re: Passing a subset of the "memberOf", but a specific group attribute rather than the "CN" value

    Posted Jun 15, 2018 08:16 PM

    So I came across this expression and it is ALMOST want I need, but just need to add one more logic:

     

    GET('memberOf') CONTAINS (groupA) ? "admin-user" : ""

     

    Basically, there are a few targeted AD groups within the "memberOf" user attribute:

    groupA = admin-user

    groupB = power-user

    groupC = user

     

    The user is a member of only one of those three groups so I need an expression that would evaluate to see which of those three group is in the "memberOf" attribute and replace the group name with it's role name (admin-user / power-user / user).

     

    So this expression - - > GET('memberOf') CONTAINS (groupA) ? "admin-user" : ""  

     

    will only evaluate if the user is in "groupA" or not but won't check the other two group.



  • 5.  Re: Passing a subset of the "memberOf", but a specific group attribute rather than the "CN" value

    Posted Jun 18, 2018 09:27 AM

    Hi Duc,

     

    You could try below option.
    Create Attribute Mapping (Virtual Attribute) using this Expression
    Filter(ENUMERATE(SM_USERGROUPS, STRING(RDN(STRING(%0), FALSE))), 'GROUPA^GROUPB^GROUPC')

    Then use the same Virtual Attribute in Saml Attribute section. But you would need to create 3 assertion attribute for evaluation of the groups and adding role name.

    for Admin-User --> #{attr["virtual_attribute"] == 'GROUPA' ? 'admin-user' : 'NULL'}
    for Power_User --> #{attr["virtual_attribute"] == 'GROUPB' ? 'power-user' : 'NULL'}
    for User --> #{attr["virtual_attribute"] == 'GROUPC' ? 'user' : 'NULL'}

     

    hope this helps.

     

    Thanks,
    Sharan



  • 6.  Re: Passing a subset of the "memberOf", but a specific group attribute rather than the "CN" value

    Posted Jun 20, 2018 06:12 PM

    Hi Sharan,

     

    Thank you so much for your help.  One question.  Rather than having three separate expression SAML attributes, is it possible to have one expression attribute that would do the evaluation?  Our SAML SP partner would be expecting to get the value from only one attribute so could we create just one expression attribute  that would have multiple evaluations such as:

     

    #{attr["virtual_attribute"] == 'GROUPA' ? 'admin-user' : 'NULL' + 'GROUPB' ? 'power-user' : 'NULL'+ 'GROUPC' ? 'user' : 'NULL'}

     

     

    Thanks in advance!