Forum Discussion
BenJ
Nimbostratus
NimbostratusAPM: Split memberOf Concatenated Attribute into Single Attributes
Hi,
I have APM running successfully as part of a SAML IdP chain. The external IdPs send group membership data as a single, pipe-delimited list of long group names (DNs). For example:
AttributeName=memberOf
AttributeValue=| CN=Group Name,OU=Groups,OU=Customer,DC=cust,DC=au | CN=Group Name2,OU=Groups,OU=Customer,DC=cust,DC=au | CN=Group Name3,OU=Groups,OU=Customer,DC=cust,DC=au |"
I've been asked by the owner of the internal SAML SP (service owner) to send the "memberOf" attribute as multiple single attributes in the assertion provided by the F5. The service owner would also like just the CN (short name) of the group, rather than the full DN. So, the attribute would be something like:
AttributeName=memberOf
AttributeValue=Group Name
AttributeValue=Group Name2
AttributeValue=Group Name3
I believe this needs to be done using a Variable Assign agent in APM and a custom expression, but I have not been able to find an example of the correct TCL syntax to achieve it.
I can probably figure out how to split the string at each pipe character, but I'm not sure how to create multiple attribute values that will populate the new assertion based on the result. I can't get the external IdP to just return the CN, nor the groups as separate attributes, so I need to do this in APM.
Thanks for any help offered.
Stanislas_Piro2Cumulonimbus
Hi,
memberOf is not a string but a list with pipe as separator.
you can follow this thread to know how to extract CN from DN.