Sending specific active directory groups as SAML attributes

Question

This is a two part question. We are building out SSO with a new Service Provider (SP). The SP is looking for specific Active Directory group(s) that they will use to determine the user's role. The attribute we are passing is named "RoleName" and the value is %{session.ldap.last.attr.memberOf}. &nbsp;

Is there a way we can send just the groups they need instead of sending all groups the user is a member of?&nbsp;

How can everything after the first CN be stripped off? For example, if member of returns CN=abc group,CN=Users,DC=company,DC=com and you want to return just "abc group".&nbsp;

We are running F5 Big-IP LTM and APM version 12.1.2.&nbsp;

henrik_s_142222 · Answer

I would probably have done that by creating a custom variable assign with some TCL magic that parses the memberOf attribute in search of the groups in question, and populating the variable with whatever output you would need.

Forum Discussion

Sending specific active directory groups as SAML attributes

Recent Discussions

Client SSL Profile set to Require Client Certificate breaks RDP in APM

TS Declarations for DNS

APM file and registry key date check 8 days old

SSL bridging without SSL proxy forward

Should config via cli rather than gui?

Related Content

Azure Active Directory and BIG-IP APM Integration

Add SameSite attribute to APM Cookies

Lightboard Lessons: HTTP Cookie SameSite Attribute

Set the SameSite Attribute for LTM Persistence Cookies

Changing samesite attribute on ASM TS Cookie

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS