Forum Discussion
AltocumulusHow to get group name CN from session.ad.last.attr.memberOf when there are multiple attribute value
I found an error though causing duplicate entries
you can use this one as custom expressionset result "" set groups [mcget {session.ad.last.attr.memberOf}] foreach {full match} [regexp -all -inline {CN=([^,]+)} $groups] { append result "| $match " } append result "|" return $result
NacreousYour session.ad.last.attr.memberOf variable should be like this:
| CN=webaccess,OU=Users,OU=mydomain,DC=com | CN=webtest,OU=Users,OU=mydomain,DC=com | CN=webfort,OU=Users,OU=mydomain,DC=com | CN=webui,OU=Users,OU=mydomain,DC=com |
This
saml2:Attribute Name="groups"
saml2:AttributeValue CN=webaccess,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webtest,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webfort,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webui,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
/saml2:Attribute"Is what is injected in SAML assertion which I assume you are using
So your goal is to modify this:
| CN=webaccess,OU=Users,OU=mydomain,DC=com | CN=webtest,OU=Users,OU=mydomain,DC=com | CN=webfort,OU=Users,OU=mydomain,DC=com | CN=webui,OU=Users,OU=mydomain,DC=com |
To this:
| webaccess | webtest | webfort | webui |And then SAML assertion will be ok also
So, you can create a new custom valiable, in you example “session.sso.token.last.attr.groups”
And you as custom expression
set result ""
foreach match [regexp -all -inline {CN=([^,]+)} [mcget {session.ad.last.attr.memberOf}]] {
regexp {CN=([^,]+)} $match dummy cn
append result "| $cn "
}
append result "|"
return $result
of course add to SAML attributes this new custom valiable
AltocumulusDear Injeyan_Kostas , it seems the session.ad.last.attr.memberOf is just like how you showed.
| CN=webaccess,OU=Users,OU=mydomain,DC=com | CN=webtest,OU=Users,OU=mydomain,DC=com | CN=webfort,OU=Users,OU=mydomain,DC=com | CN=webui,OU=Users,OU=mydomain,DC=com |
and its not presenting anything in the SAML response,
After using your expression, I am getting like this in the variable output,
| webaccess | webtest | webfort | webui |
and in the SAML response, like this
saml2:AttributeValue webaccess | webaccess | webtest | webfort | webui | /saml2:AttributeValue
But the requirement is,
saml2:AttributeValue webaccess /saml2:AttributeValue
saml2:AttributeValue webtest /saml2:AttributeValue
saml2:AttributeValue webfort /saml2:AttributeValue
saml2:AttributeValue webui /saml2:AttributeValue
Its a single attribute with multiple values, and it should be presented as multiple values in plain text
- Injeyan_Kostas
heenakhanam0708 could you please check for typos in your config
I just retest it and works fine, at least in my envmoreover in your first post you said that by default you see
saml2:Attribute Name="groups"
saml2:AttributeValue CN=webaccess,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webtest,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webfort,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
saml2:AttributeValue CN=webui,OU=Users,OU=mydomain,DC=com /saml2:AttributeValue
/saml2:Attribute"
How it's not showing anything now when use session.ad.last.attr.memberOf ?- Injeyan_Kostas
I found an error though causing duplicate entries
you can use this one as custom expressionset result "" set groups [mcget {session.ad.last.attr.memberOf}] foreach {full match} [regexp -all -inline {CN=([^,]+)} $groups] { append result "| $match " } append result "|" return $result - heenakhanam0708
Hello Injeyan_Kostas ,
Yes it worked 😍. I deleted the entire variable assign and reconfigured just like your solution.
And I got the desired output.
yeah, I noticed the duplicate. Let me try your latest script and update the thread.
- Injeyan_Kostas
Glad to hear it worked for you! Let me know if the new script runs without producing duplicates.
