Forum Discussion

BenJ's avatar
Icon for Nimbostratus rankNimbostratus
Jan 30, 2017

APM: Split memberOf Concatenated Attribute into Single Attributes



I have APM running successfully as part of a SAML IdP chain. The external IdPs send group membership data as a single, pipe-delimited list of long group names (DNs). For example:




AttributeValue=| CN=Group Name,OU=Groups,OU=Customer,DC=cust,DC=au | CN=Group Name2,OU=Groups,OU=Customer,DC=cust,DC=au | CN=Group Name3,OU=Groups,OU=Customer,DC=cust,DC=au |"


I've been asked by the owner of the internal SAML SP (service owner) to send the "memberOf" attribute as multiple single attributes in the assertion provided by the F5. The service owner would also like just the CN (short name) of the group, rather than the full DN. So, the attribute would be something like:




AttributeValue=Group Name


AttributeValue=Group Name2


AttributeValue=Group Name3


I believe this needs to be done using a Variable Assign agent in APM and a custom expression, but I have not been able to find an example of the correct TCL syntax to achieve it.


I can probably figure out how to split the string at each pipe character, but I'm not sure how to create multiple attribute values that will populate the new assertion based on the result. I can't get the external IdP to just return the CN, nor the groups as separate attributes, so I need to do this in APM.


Thanks for any help offered.