Custom session variable for filtered memberOf AD attribute

Since you already have the memberOf session variable and this is a subset. I'd just run the split command on memberOf and iterate through the results to make your new list of F5- only ones.

 

https://www.tcl.tk/man/tcl8.4/TclCmd/split.htm

 

Why would this be necessary? APM will cache all AD groups in the domain regardless of this filter.

You can use a Variable Assign box with an expression like this:

set list "|";
foreach element [split [mcget {session.ad./Common/myPolicy_act_active_directory_query_ag.attr.member}] "|"] {
if { $element contains "Adm"}{
append list "$element | ";
}
}
return $list;

I assigned it to a variable session.custom.myvar. You will need to modify your session variable accordingly but it should work.

Sorry, I should have provided more information. We are actually passing these session variables as SAML attributes to another product (zscaler). And, it turns out that you can't have more than 8 groups on that device, so we need a way to filter them down to just the groups that are meaningful to the zscaler configuration.

Newbie here, so please excuse me for not understanding.

 

thanks all for this post and answers! Took me a while to find this and it works great for me if I have multiple groups containing "XYZ". However, If I have only one group it appends the pipe in front and back of the single value. Was hoping to just return the single value.

 

Any help would be great!

 

Thank you