Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

heenakhanam0708's avatar
heenakhanam0708
Icon for Altocumulus rankAltocumulus
May 30, 2025
Solved

How to get group name CN from session.ad.last.attr.memberOf when there are multiple attribute value

Hi all,

 

When I use the session.ad.last.attr.memberOf variable the group values are like:

 

saml2:Attribute Name="groups"

saml2:AttributeValue CN=webaccess,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue

saml2:AttributeValue CN=webtest,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue

saml2:AttributeValue CN=webfort,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue

saml2:AttributeValue CN=webui,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue

/saml2:Attribute"

 

The question is how can I strip the first group name CN part from each attribute value in a APM access policy using the variable assign element? So in the example above I only need webaccess webtest webfort webui like below.

"saml2:Attribute Name="groups"

saml2:AttributeValue webaccess/saml2:AttributeValue

saml2:AttributeValue webtest /saml2:AttributeValue

saml2:AttributeValue webfort/saml2:AttributeValue

saml2:AttributeValue webui/saml2:AttributeValue

/saml2:Attribute"

I have tried multiple scripts but not getting desired result,
1.

"set mem_fields [split [mcget {session.ad.last.attr.memberOf}] "|"]; foreach mem $mem_fields { if { $mem contains "CN" } { set found $mem } }; set grp_fields [split $found "=,"]; return [lindex $grp_fields 1];"


used this, but the output is, just the first CN name

"saml attribute value webaccess /saml atrribute value"

==============================================

2.

"set newGroups [list]
foreach group [mcget {session.ad.last.attr.memberOf}] {
   if {[regexp {CN=([^,]+)} $group - cn]} {
       lappend newGroups $cn
   }
}
set session.sso.token.last.attr.groups $newGroups

output is 

saml attribute value webaccesswebfortwebtestwebui/saml attribute value"

3. "set newGroups [list]
foreach group [mcget {session.ad.last.attr.memberOf}] {
    if {[regexp {CN=([^,]+)} $group - cn]} {
        lappend newGroups $cn
    }
}
set session.custom.group_cns [join $newGroups "\n"]

output is

saml attribute value webaccess

webfort

webtest

webui/saml attribute value"

 

Any help is much appreciated.

 

 

application delivery

9 Replies

No RepliesBe the first to reply