FI_2016_187929
Feb 19, 2015Nimbostratus
SAML SSO send specific AD Group in Assertion
We are using F5 APM as IdP and are trying to send AD Groups in our SAML assertion to the SP using the attribute session.ldap.last.attr.memberof. Some of our AD groups have special character, causing the assertion to fail as documented in https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15157.html. We don't need to send all the AD Groups to the SP, only the groups that would be related to the application we are logging into. We are trying to configure a custom variable in the APM to select specific groups. Is this possible? Could we configure a custom expression like { set memberof [mcget {session.ldap.last.attr.memberof}] contains "appname" }?