Forum Discussion
NimbostratusHow to get group name CN from session.ad.last.attr.memberOf when there are multiple attribute value
Hi all,
When I use the session.ad.last.attr.memberOf variable the group values are like:
saml2:Attribute Name="groups"
saml2:AttributeValue CN=webaccess,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webtest,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webfort,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webui,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
/saml2:Attribute"
The question is how can I strip the first group name CN part from each attribute value in a APM access policy using the variable assign element? So in the example above I only need webaccess webtest webfort webui like below.
"saml2:Attribute Name="groups"
saml2:AttributeValue webaccess/saml2:AttributeValue
saml2:AttributeValue webtest /saml2:AttributeValue
saml2:AttributeValue webfort/saml2:AttributeValue
saml2:AttributeValue webui/saml2:AttributeValue
/saml2:Attribute"
I have tried multiple scripts but not getting desired result,
1.
"set mem_fields [split [mcget {session.ad.last.attr.memberOf}] "|"]; foreach mem $mem_fields { if { $mem contains "CN" } { set found $mem } }; set grp_fields [split $found "=,"]; return [lindex $grp_fields 1];"
used this, but the output is, just the first CN name
"saml attribute value webaccess /saml atrribute value"
==============================================
2.
"set newGroups [list]
foreach group [mcget {session.ad.last.attr.memberOf}] {
if {[regexp {CN=([^,]+)} $group - cn]} {
lappend newGroups $cn
}
}
set session.sso.token.last.attr.groups $newGroups
output is
saml attribute value webaccesswebfortwebtestwebui/saml attribute value"
3. "set newGroups [list]
foreach group [mcget {session.ad.last.attr.memberOf}] {
if {[regexp {CN=([^,]+)} $group - cn]} {
lappend newGroups $cn
}
}
set session.custom.group_cns [join $newGroups "\n"]
output is
saml attribute value webaccess
webfort
webtest
webui/saml attribute value"
Any help is much appreciated.
2 Replies
- Injeyan_Kostas
Cumulonimbus
Your session.ad.last.attr.memberOf variable should be like this:
| CN=webaccess,OU=Users,OU=mydomain,DC=com | CN=webtest,OU=Users,OU=mydomain,DC=com | CN=webfort,OU=Users,OU=mydomain,DC=com | CN=webui,OU=Users,OU=mydomain,DC=com |This
saml2:Attribute Name="groups" saml2:AttributeValue CN=webaccess,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue saml2:AttributeValue CN=webtest,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue saml2:AttributeValue CN=webfort,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue saml2:AttributeValue CN=webui,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue /saml2:Attribute"Is what is injected in SAML assertion which I assume you are using
So your goal is to modify this:
| CN=webaccess,OU=Users,OU=mydomain,DC=com | CN=webtest,OU=Users,OU=mydomain,DC=com | CN=webfort,OU=Users,OU=mydomain,DC=com | CN=webui,OU=Users,OU=mydomain,DC=com |To this:
| webaccess | webtest | webfort | webui |And then SAML assertion will be ok also
So, you can create a new custom valiable, in you example “session.sso.token.last.attr.groups”
And you as custom expression
set result "" foreach match [regexp -all -inline {CN=([^,]+)} [mcget {session.ad.last.attr.memberOf}]] { regexp {CN=([^,]+)} $match dummy cn append result "| $cn " } append result "|" return $result
of course add to SAML attributes this new custom valiable Hi heenakhanam0708, can you provide any example/screenshot of the output from the variables via the Access -> Overview -> Active Sessions view?
