Forum Discussion
AltocumulusHow to get group name CN from session.ad.last.attr.memberOf when there are multiple attribute value
Hi all,
When I use the session.ad.last.attr.memberOf variable the group values are like:
saml2:Attribute Name="groups"
saml2:AttributeValue CN=webaccess,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webtest,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webfort,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webui,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
/saml2:Attribute"
The question is how can I strip the first group name CN part from each attribute value in a APM access policy using the variable assign element? So in the example above I only need webaccess webtest webfort webui like below.
"saml2:Attribute Name="groups"
saml2:AttributeValue webaccess/saml2:AttributeValue
saml2:AttributeValue webtest /saml2:AttributeValue
saml2:AttributeValue webfort/saml2:AttributeValue
saml2:AttributeValue webui/saml2:AttributeValue
/saml2:Attribute"
I have tried multiple scripts but not getting desired result,
1.
"set mem_fields [split [mcget {session.ad.last.attr.memberOf}] "|"]; foreach mem $mem_fields { if { $mem contains "CN" } { set found $mem } }; set grp_fields [split $found "=,"]; return [lindex $grp_fields 1];"
used this, but the output is, just the first CN name
"saml attribute value webaccess /saml atrribute value"
==============================================
2.
"set newGroups [list]
foreach group [mcget {session.ad.last.attr.memberOf}] {
if {[regexp {CN=([^,]+)} $group - cn]} {
lappend newGroups $cn
}
}
set session.sso.token.last.attr.groups $newGroups
output is
saml attribute value webaccesswebfortwebtestwebui/saml attribute value"
3. "set newGroups [list]
foreach group [mcget {session.ad.last.attr.memberOf}] {
if {[regexp {CN=([^,]+)} $group - cn]} {
lappend newGroups $cn
}
}
set session.custom.group_cns [join $newGroups "\n"]
output is
saml attribute value webaccess
webfort
webtest
webui/saml attribute value"
Any help is much appreciated.
I found an error though causing duplicate entries
you can use this one as custom expressionset result "" set groups [mcget {session.ad.last.attr.memberOf}] foreach {full match} [regexp -all -inline {CN=([^,]+)} $groups] { append result "| $match " } append result "|" return $result
9 Replies
- Injeyan_Kostas
Nacreous
Your session.ad.last.attr.memberOf variable should be like this:
| CN=webaccess,OU=Users,OU=mydomain,DC=com | CN=webtest,OU=Users,OU=mydomain,DC=com | CN=webfort,OU=Users,OU=mydomain,DC=com | CN=webui,OU=Users,OU=mydomain,DC=com |This
saml2:Attribute Name="groups" saml2:AttributeValue CN=webaccess,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue saml2:AttributeValue CN=webtest,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue saml2:AttributeValue CN=webfort,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue saml2:AttributeValue CN=webui,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue /saml2:Attribute"Is what is injected in SAML assertion which I assume you are using
So your goal is to modify this:
| CN=webaccess,OU=Users,OU=mydomain,DC=com | CN=webtest,OU=Users,OU=mydomain,DC=com | CN=webfort,OU=Users,OU=mydomain,DC=com | CN=webui,OU=Users,OU=mydomain,DC=com |To this:
| webaccess | webtest | webfort | webui |And then SAML assertion will be ok also
So, you can create a new custom valiable, in you example “session.sso.token.last.attr.groups”
And you as custom expression
set result "" foreach match [regexp -all -inline {CN=([^,]+)} [mcget {session.ad.last.attr.memberOf}]] { regexp {CN=([^,]+)} $match dummy cn append result "| $cn " } append result "|" return $result
of course add to SAML attributes this new custom valiable
heenakhanam0708Dear Injeyan_Kostas , it seems the session.ad.last.attr.memberOf is just like how you showed.
| CN=webaccess,OU=Users,OU=mydomain,DC=com | CN=webtest,OU=Users,OU=mydomain,DC=com | CN=webfort,OU=Users,OU=mydomain,DC=com | CN=webui,OU=Users,OU=mydomain,DC=com |
and its not presenting anything in the SAML response,After using your expression, I am getting like this in the variable output,
| webaccess | webtest | webfort | webui |
and in the SAML response, like thissaml2:AttributeValue webaccess | webaccess | webtest | webfort | webui | /saml2:AttributeValue
But the requirement is,saml2:AttributeValue webaccess /saml2:AttributeValue
saml2:AttributeValue webtest /saml2:AttributeValue
saml2:AttributeValue webfort /saml2:AttributeValue
saml2:AttributeValue webui /saml2:AttributeValue
Its a single attribute with multiple values, and it should be presented as multiple values in plain text
- Injeyan_Kostas
heenakhanam0708 could you please check for typos in your config
I just retest it and works fine, at least in my envmoreover in your first post you said that by default you see
saml2:Attribute Name="groups"
saml2:AttributeValue CN=webaccess,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webtest,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webfort,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webui,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
/saml2:Attribute"
How it's not showing anything now when use session.ad.last.attr.memberOf ?
Hi heenakhanam0708, can you provide any example/screenshot of the output from the variables via the Access -> Overview -> Active Sessions view?
- heenakhanam0708
Dear JoshBecigneul ,
The variable output is as below,
| CN=webaccess,OU=Users,OU=mydomain,DC=com | CN=webtest,OU=Users,OU=mydomain,DC=com | CN=webfort,OU=Users,OU=mydomain,DC=com | CN=webui,OU=Users,OU=mydomain,DC=com |
