I've worked out the solution based on
@Legacy User reply in
this threadIn case anyone is interested, here's what I did.
First create an attribute mapping in my user directory. I call it "GroupNamesTemp" using expression
ENUMERATE(SM_USERNESTEDGROUPS, STRING(RDN(STRING(%0), FALSE)))
Then all I have to do is use this "GroupNames" attribute with the FMATTR function in my SAML Assertion config.
That's all. no plugin required to be coded. :)
Best regards,
Zen
p.s., the only downside is this can't differentiate between security group and distribution group but that's ok for this implementation.
------------------------------
Principal Consultant
Nebulas Tree Pte. Ltd.
------------------------------
Original Message:
Sent: 10-09-2020 07:07 PM
From: Zen Leow
Subject: How can I get group membership into SAML response attribute. (display name instead of Full DN, including nested group)
(Creating a new thread as Discussion instead of Question to be answered)
Hi community,
I have a question here that doesn't quite fall into support jurisdiction as it's more of asking for "How to". Hoping to get some help here.
Client is using Active Directory as user store. We have the following configured so that the SAML response is able to return the groups (memberOf) that the user belongs to.
However, it comes in Full DN format. Is there any way we can just provide the group's name instead. I know it probably can be done with a customised plugin, but client wants to avoid customisation as much as possible so I'm asked to ask Broadcom if there's a configuration way of doing it.
Next is this only provide direct groups and doesn't provide nested groups (meaning if one group is a member of another group, that other group doesn't get listed) cos we are only looking at the memberOf attribute of the user's AD account. Do you know of any implementation that does something like this and what is the official way this can be achieved in Siteminder?
Best regards,
Zen