Forum Discussion
heenakhanam0708
Altocumulus
AltocumulusHow to get group name CN from session.ad.last.attr.memberOf when there are multiple attribute value
Hi all, When I use the session.ad.last.attr.memberOf variable the group values are like: saml2:Attribute Name="groups" saml2:AttributeValue CN=webaccess,OU=Users,OU=mydomain,DC=com /saml2:At...
I found an error though causing duplicate entries
you can use this one as custom expressionset result "" set groups [mcget {session.ad.last.attr.memberOf}] foreach {full match} [regexp -all -inline {CN=([^,]+)} $groups] { append result "| $match " } append result "|" return $result
Injeyan_Kostas
Nacreous
NacreousYour session.ad.last.attr.memberOf variable should be like this:
| CN=webaccess,OU=Users,OU=mydomain,DC=com | CN=webtest,OU=Users,OU=mydomain,DC=com | CN=webfort,OU=Users,OU=mydomain,DC=com | CN=webui,OU=Users,OU=mydomain,DC=com |
This
saml2:Attribute Name="groups"
saml2:AttributeValue CN=webaccess,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webtest,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webfort,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webui,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
/saml2:Attribute"Is what is injected in SAML assertion which I assume you are using
So your goal is to modify this:
| CN=webaccess,OU=Users,OU=mydomain,DC=com | CN=webtest,OU=Users,OU=mydomain,DC=com | CN=webfort,OU=Users,OU=mydomain,DC=com | CN=webui,OU=Users,OU=mydomain,DC=com |
To this:
| webaccess | webtest | webfort | webui |And then SAML assertion will be ok also
So, you can create a new custom valiable, in you example “session.sso.token.last.attr.groups”
And you as custom expression
set result ""
foreach match [regexp -all -inline {CN=([^,]+)} [mcget {session.ad.last.attr.memberOf}]] {
regexp {CN=([^,]+)} $match dummy cn
append result "| $cn "
}
append result "|"
return $result
of course add to SAML attributes this new custom valiable
