Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

APM: Split memberOf Concatenated Attribute into Single Attributes

BenJ
Nimbostratus
Nimbostratus

Hi,

 

I have APM running successfully as part of a SAML IdP chain. The external IdPs send group membership data as a single, pipe-delimited list of long group names (DNs). For example:

 

AttributeName=memberOf

 

AttributeValue=| CN=Group Name,OU=Groups,OU=Customer,DC=cust,DC=au | CN=Group Name2,OU=Groups,OU=Customer,DC=cust,DC=au | CN=Group Name3,OU=Groups,OU=Customer,DC=cust,DC=au |"

 

I've been asked by the owner of the internal SAML SP (service owner) to send the "memberOf" attribute as multiple single attributes in the assertion provided by the F5. The service owner would also like just the CN (short name) of the group, rather than the full DN. So, the attribute would be something like:

 

AttributeName=memberOf

 

AttributeValue=Group Name

 

AttributeValue=Group Name2

 

AttributeValue=Group Name3

 

I believe this needs to be done using a Variable Assign agent in APM and a custom expression, but I have not been able to find an example of the correct TCL syntax to achieve it.

 

I can probably figure out how to split the string at each pipe character, but I'm not sure how to create multiple attribute values that will populate the new assertion based on the result. I can't get the external IdP to just return the CN, nor the groups as separate attributes, so I need to do this in APM.

 

Thanks for any help offered.

 

1 REPLY 1

Stanislas_Piro2
Cumulonimbus
Cumulonimbus

Hi,

 

memberOf is not a string but a list with pipe as separator.

 

you can follow this thread to know how to extract CN from DN.

 

https://devcentral.f5.com/questions/how-to-get-group-name-cn-from-sessionadlastattrmemberof-51188ans...