Forum Discussion

Kerry_Carey's avatar
Kerry_Carey
Icon for Nimbostratus rankNimbostratus
Nov 06, 2017

Sending specific active directory groups as SAML attributes

This is a two part question. We are building out SSO with a new Service Provider (SP). The SP is looking for specific Active Directory group(s) that they will use to determine the user's role. The attribute we are passing is named "RoleName" and the value is %{session.ldap.last.attr.memberOf}.

 

  1. Is there a way we can send just the groups they need instead of sending all groups the user is a member of?

     

  2. How can everything after the first CN be stripped off? For example, if member of returns CN=abc group,CN=Users,DC=company,DC=com and you want to return just "abc group".

     

We are running F5 Big-IP LTM and APM version 12.1.2.

 

  • I would probably have done that by creating a custom variable assign with some TCL magic that parses the memberOf attribute in search of the groups in question, and populating the variable with whatever output you would need.