Layer7 Access Management

Expand all | Collapse all

Send only subset of the groups in the SAML assertions

  • 1.  Send only subset of the groups in the SAML assertions

    Posted 10-29-2014 06:12 PM

    We have a federation setup using SiteMinder 12.52 as IDP. We have a requirement to send user group membership information in an attribute, as part of SAML assertion to SP (which is outside client network), so that the SP can perform fine grained authorization. The issue is that SiteMinder send all the avaialble user groups assigned to the user in the assertion, we want to send only specific user groups (needed by the SP) based on custom criteria - for example a simple criteria could be groups which are assigned to the user and contains particular application name in the group dn.

     

    We are using Partnership model and the only options that I see there while setting the Assertion Attributes are : Static, User Attribute, Session Attribute, DN Attribute and Expression. If I use User Attribute, I do not see any additional option where I can provide the custom query criteria.

     

    Is there any way in the SiteMinder federation configuration to send only subset of the groups that are assigned to the user?



  • 2.  Re: Send only subset of the groups in the SAML assertions

    Posted 10-30-2014 03:56 PM

    Would the expression option work?

     

    ------------------------------

    For example:

     

    Group = #{attr[“memberOf"] == ‘my-group-name’ ? 'my-group-name' : 'DELETE' }

     

    In this case if the memberOf attribute contains "my-group-name" then the assertion will return the attribute with the value "my-group-name", otherwise it will not be present in the response.

     

    You could also make it straight forward as "authorized" or "not authorized" such as:

     

    Group = #{attr[“memberOf"] == ‘my-group-name’ ? 'Authorized' : 'Not Authorized' }

    ------------------------------

     

     

    There's a number of options and other operators such as != etc. So could play with that to get it how you want. Take a look at the Federation guide (pg. 91) - https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052-ENU/Bookshelf_Files/PDF/siteminder_fed_partnership_enu.pdf



  • 3.  Re: Send only subset of the groups in the SAML assertions

    Posted 10-30-2014 04:45 PM


    Thanks CBertagnolli for your response.

    I was researching on the option of using JUEL script but could find an operator like "contains". The == operator will not work for us because the user is going to have multiple groups but we want to send only one or two groups which is needed by SP application

     

    For example if something equivalent to contains exist in JUEL then we use the below expression.

     

    Group = #{attr[“memberOf"] contains ‘SPapp-group-name’ ? ‘SPapp-group-name’ : 'Not Authorized' }

     

    Let me know if something like this exist.



  • 4.  Re: Send only subset of the groups in the SAML assertions

    Posted 10-30-2014 06:25 PM

    Ah yeah, never tried that way with regards to multi-valued attribute. Was just a quick thought I had .

     

    Unfortunately my experience with SiteMinder is that multi-value isn't always handled very well (especially with LDAP since it doesn't just pass a direct query for a simple yes/no). I suppose you could argue it's not a true equality but really it is since it equals said value within a multi-valued attribute.



  • 5.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-06-2014 06:37 PM

    Have you had any luck with this? If not, what about a custom assertion plug-in? That would allow you to pull them and do just about anything you want with the assertion info. It'd be custom development of course but might be worth looking into.



  • 6.  Re: Send only subset of the groups in the SAML assertions

    Posted 10-05-2015 11:09 AM

    Hi CBertagnolli,

     

    I have a similar situation as above, but little different.

     

    we have four groups and the user might be in one or two of the groups. which needs to be sent as attribute in the assertion. Will the above query work to send the group info of the user?

     

    Please let me know, if not how to do a custom assertion plug-in?

     

    And i need SAML Assertion like below example:

     

    <saml:AttributeStatement>

                <saml:Attribute Name="Groups"

    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"

                             >

                    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:type="xs:string"

                             >{group1}</saml:AttributeValue>

                    <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:type="xs:string"

    >{group2}</saml:AttributeValue>

                  </saml:Attribute>


    Is this possible

     

    -Chris



  • 7.  Re: Send only subset of the groups in the SAML assertions

    Posted 10-05-2015 03:54 PM

    Hi Risz,

     

    Were you able to achieve this, please let me know.



  • 8.  Re: Send only subset of the groups in the SAML assertions

    Posted 05-10-2016 03:15 PM

    CA,

     

    Is there a documented way to send a subset of user groups in a SAML response?

     

    Thank you



  • 9.  Re: Send only subset of the groups in the SAML assertions

    Posted 07-08-2016 05:00 PM

    To send particular set of groups where the user is present you will have to use an assertion generator plugin. Even after you use an AGP you will need to have a criteria or a logic how to send those particular groups in the assertion because for the current user the memberof attribute will have all the groups where the current user is present in.

     

    In out of the box siteminder you can send the attribute as is which means the policy server can only send whatever the current user has in the memberof attribute For example if the current user is member of 10 groups. Then the siteminder policy server will send all the groups in which the user is present in and cannot send some specific groups as per your requirements.



  • 10.  Re: Send only subset of the groups in the SAML assertions

    Posted 07-09-2016 02:53 PM

    We can do this quite easy using Expression.

     

    However you have to do this using a workaround since Federation Partnership Expressions don't work. So the hack is to do it via the Attribute Mapping in User Directory Object.

    How to format a nameID value in the assertion configuration for a federation partnership

     

     

     

    Try this Expression.

     

    TEST TOOL RESULT

     

    1> id 224, len 078 : 'FILTERGRP=cn=Adminprofile_ABC,dc=ca,dc=com^cn=Advancefprofile_ABC,dc=ca,dc=com' - '63 6e 3d 41 64 6d 69 6e 70 72 6f 66 69 6c 65 5f 41 42 43 2c 64 63 3d 63 61 2c 64 63 3d 63 6f 6d 5e 63 6e 3d 41 64 76 61 6e 63 65 66 70 72 6f 66 69 6c 65 5f 41 42 43 2c 64 63 3d 63 61 2c 64 63 3d 63 6f 6d '

    2> id 224, len 139 : 'AllGRP=cn=Adminprofile_ABC,dc=ca,dc=com^cn=Advancefprofile_ABC,dc=ca,dc=com^cn=Group0,dc=ca,dc=com^cn=application1-Group-admin,dc=ca,dc=com' - '63 6e 3d 41 64 6d 69 6e 70 72 6f 66 69 6c 65 5f 41 42 43 2c 64 63 3d 63 61 2c 64 63 3d 63 6f 6d 5e 63 6e 3d 41 64 76 61 6e 63 65 66 70 72 6f 66 69 6c 65 5f 41 42 43 2c 64 63 3d 63 61 2c 64 63 3d 63 6f 6d 5e 63 6e 3d 47 72 6f 75 70 30 2c 64 63 3d 63 61 2c 64 63 3d 63 6f 6d 5e 63 6e 3d 61 70 70 6c 69 63 61 74 69 6f 6e 31 2d 47 72 6f 75 70 2d 61 64 6d 69 6e 2c 64 63 3d 63 61 2c 64 63 3d 63 6f 6d '

     

    Capture.JPG



  • 11.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-04-2017 01:01 AM

    Hi Hubert,

     

    I came across this thread and got really excited because this is exactly what I had been trying to resolve for a long time but had given up on this because we didn't know it was possible with the use of attribute expressions.  So I followed your example above but does not seem to work for me. 

     

    I need to query the current login user from the user store (Active Direcotory) to see if the user is a member of a set of AD groups and if so then pass the "CN" attribute of those AD groups into a SAML attribute and separate the multiple group names by a comma. 

     

    If this is accomplishable with the user of attribute expression then could you provide an example of the expression syntax?  Something like:  - - - > FILTER(GET('memberof'), '*group1*', '*group2*', '*group3*')

     

    The tricky part here is that our "memberof" user attribute contain the group DN values of the groups that the user is a member of but we need to return the CN value of those groups rather than the DN value.

     

    Much thanks in advance.

     

    Duc Tran



  • 12.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-04-2017 04:31 PM

    Duc dmt953

     

    In general you can get away with a much simpler expression response just to pass Group Name (CN value instead of complete DN). Here it is.

     

    Can you parse SM_Usergroups to only return just the CN of a group instead of the full DNs of each group..  
    ENUMERATE(SM_USERGROUPS, STRING(RDN(STRING(%0), FALSE)))

    RESULT : 'HTTP_OnlyGroupName=Adminprofile_ABC^Advancefprofile_ABC^Group0^application1-Group-admin'

    OTHERWISE : 'HTTP_AllGRP=cn=Adminprofile_ABC,dc=ca,dc=com^cn=Advancefprofile_ABC,dc=ca,dc=com^cn=Group0,dc=ca,dc=com^cn=application1-Group-admin,dc=ca,dc=com'

     

     

     

     

     

    In the scenario that you've sought out, Refer to FILTER documentation here. 

     

    Here is what I know works 100%. This expression returns only GroupName which matches *ABC* anywhere in the list of groups that SM_USERGROUPS return. 

     

    Expression
    Filter(ENUMERATE(SM_USERGROUPS, STRING(RDN(STRING(%0), FALSE))), '*ABC*')

     

    From the above example this would, RESULT : HTTP_OnlyGroupName=Adminprofile_ABC^Advancefprofile_ABC

     

     

    Now I have not tested this, however I am sure this (Option-2 at worse) would work. Also I think since you mentioned separated by comma here it is. Test and let know. If Option-1 works, then I'd prefer Option-1 over Option-2 (Just throwing my preference).

     

    Expression (OPTION-1)
    Filter(ENUMERATE(SM_USERGROUPS, STRING(RDN(STRING(%0), FALSE))), 'GROUP1^GROUP2^GROUP3')

     

    Expression (OPTION-2)
    Filter(ENUMERATE(SM_USERGROUPS, STRING(RDN(STRING(%0), FALSE))), '*GROUP1*') + , + Filter(ENUMERATE(SM_USERGROUPS, STRING(RDN(STRING(%0), FALSE))), '*GROUP2*') + , + Filter(ENUMERATE(SM_USERGROUPS, STRING(RDN(STRING(%0), FALSE))), '*GROUP3*')


  • 13.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-06-2017 09:49 PM

    Hi Hubert,

     

    Thanks for taking the time putting together this elaborate response. 

     

    So in your example - - >  Filter(ENUMERATE(SM_USERGROUPS, STRING(RDN(STRING(%0), FALSE))), 'GROUP1^GROUP2^GROUP3'

    What value is "SM_USERGROUPS"?  I assumed you are referencing the "memberof" AD user attribute which list all of the AD groups that the user is a member of and the rest of the script will parse out only the groups that the user is a member of?  With that, this is what I plugged in for my script but it did not work:

     

    Filter(ENUMERATE(Get'memberof'), STRING(RDN(STRING(%0), FALSE))), 'administrator^user^employee')



  • 14.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-06-2017 10:26 PM

    SM_USERGROUPS should return all the group's the user is member. Hence we could use SM_USERGROUPS OR memberOf.

     

    Could we change in your expression.

    Get 'memberof'

    to

    Get('memberof').

     

    Did you try Option-2?

     

     

    Regards

     

    Hubert

    CA Services



  • 15.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-07-2017 04:07 AM

    Duc dmt953

     

    Just tested this and this works.

     

     

    Expression (Option-2)
    Filter(ENUMERATE(Get('isMemberOf'), STRING(RDN(STRING(%0), FALSE))), '*ABC*') + "," + Filter(ENUMERATE(Get('isMemberOf'), STRING(RDN(STRING(%0), FALSE))), '*application3*')

     

    NOTE : My User Store is LDAP (ODSEE), hence it is 'isMemberOf'.



  • 16.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-27-2017 05:32 PM

    Hi Hubert,

     

    Thanks for providing this information.

     

    We have similar use case where we want to send user groups as part of separate attribute values. We tried by using FMATTR:expressionname in the value section in federation partnership. But couldn't send user groups in separate attribute values.

     

    Can you please provide any solutions for this requirement.

     

    Output in the form:

     

    <ns2:AttributeValue>ABC-group1</ns2:AttributeValue>

    <ns2:AttributeValue>application3-group2</ns2:AttributeValue>

     

     

    Regards,

    Himavanth



  • 17.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-27-2017 08:00 PM

    Himavanth Himavanth.Ganta

     

    I am not sure if FMATTR would work directly with an Expression. It was never intended to be used that way, hence was not built / tested in that aspect. Although I see no reason why it could not be used as solution needs evolve. But it may needs some internal changes within the Product.

     

    Here's what I could suggest "MAY" work. Creating a Virtual Attribute Attribute Mapping (using expression) in User Directory (I have a screen shot above for Attribute Mapping). Then in the SAML Attributes section use FMATTR:VirtualAttributeName.  Again I am stating it "MAY" work, because of reasons stated above.

     

    If it does not work, then raise a formal support case to get a blessing from Engineering on my comment in the first paragraph and then this would be an ideation.

     

    Hope this helps!

     

    Regards

    Hubert



  • 18.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-28-2017 10:16 AM

    Hi Hubert,

     

    We tried by creating a virtual Attribute Mapping (using expression shown below) in User Directory to filter a set of groups. Then in the SAML Attribute section, used FMATTR:VirtualAttributeName to send filtered groups in separate attribute value.

     

    Name: GroupNames

    Expression: Filter(ENUMERATE(Get('memberOf'),STRING(RDN(STRING(%0),FALSE))),'*Application1*')

     

    Used FMATTR in federation partnership to send values in separate attribute values.

     

    FMATTR in Federation Partnership

     

    Got below Output

     

    <ns2:Attribute Name="GroupNames"

                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

    <ns2:AttributeValue>Application1-Group1</ns2:AttributeValue>

    <ns2:AttributeValue>Application1-Group2</ns2:AttributeValue>

    <ns2:AttributeValue>Application1-Group3</ns2:AttributeValue>

    <ns2:AttributeValue>Application1-Group4</ns2:AttributeValue>

    <ns2:AttributeValue>Application1-Group5</ns2:AttributeValue>

    <ns2:AttributeValue>Application1-Group6</ns2:AttributeValue>

    </ns2:Attribute>

     

     

    But in our case, we want to filter groups which has Application1 in the value and also the groups which has Application2 in the value. Tried using below expression but wanted to send those group values in separate attribute values.

     

    filter(ENUMERATE(Get('memberOf'),STRING(RDN(STRING(%0),FALSE))),'*Application1*')+","+filter(ENUMERATE(Get('memberOf'),STRING(RDN(STRING(%0),FALSE))),'*Application2*')

     

    Expected result as shown below.

    <ns2:Attribute Name="GroupNames"

                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

    <ns2:AttributeValue>Application1-Group1</ns2:AttributeValue>

    <ns2:AttributeValue>Application1-Group2</ns2:AttributeValue>

    <ns2:AttributeValue>Application1-Group3</ns2:AttributeValue>

    <ns2:AttributeValue>Application1-Group4</ns2:AttributeValue>

    <ns2:AttributeValue>Application1-Group5</ns2:AttributeValue>

    <ns2:AttributeValue>Application1-Group6</ns2:AttributeValue>

    <ns2:AttributeValue>Application2-Group1</ns2:AttributeValue>

    <ns2:AttributeValue>Application2-Group2</ns2:AttributeValue>

    <ns2:AttributeValue>Application2-Group3</ns2:AttributeValue>

    <ns2:AttributeValue>Application2-Group4</ns2:AttributeValue>

     

    </ns2:Attribute>

     

    Can you provide any suggestion on how to make this working.

     

     

     

    Regards,

    Himavanth



  • 19.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-28-2017 10:23 AM

    Thanks for the detailed output.

     

    We'll need to create two Attribute Mapping (one for filtering using APP and one for filtering using SCCM). Then Create two SAML Attributes (i.e. GroupName-1 = FMATTR:VirtualAttribute-APP and GroupName-2 = FMATTR:VirtualAttribute-SCCM).



  • 20.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-28-2017 10:27 AM

    Is there any possibility to send all groups in single Assertion Attribute instead of two separate Assertion Attributes?



  • 21.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-28-2017 11:12 AM

    I am confused now. This is what is sending in a single Assertion Attribute called "GroupNames".

     

    Your Reply above

    Tried using below expression but wanted to send those group values in separate attribute values.

     

    filter(ENUMERATE(Get('memberOf'),STRING(RDN(STRING(%0),FALSE))),'*APP*')+","+filter(ENUMERATE(Get('memberOf'),STRING(RDN(STRING(%0),FALSE))),'*SCCM*')

     

    Expected result as shown below.

    <ns2:Attribute Name="GroupNames"

                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

    <ns2:AttributeValue>APP-Group1</ns2:AttributeValue>

    <ns2:AttributeValue>APP-Group2</ns2:AttributeValue>

    <ns2:AttributeValue>APP-Group3</ns2:AttributeValue>

    <ns2:AttributeValue>APP-Group4</ns2:AttributeValue>

    <ns2:AttributeValue>APP-Group5</ns2:AttributeValue>

    <ns2:AttributeValue>APP-Group6</ns2:AttributeValue>

    <ns2:AttributeValue>SCCM-Group1</ns2:AttributeValue>

    <ns2:AttributeValue>SCCM-Group2</ns2:AttributeValue>

    <ns2:AttributeValue>SCCM-Group3</ns2:AttributeValue>

    <ns2:AttributeValue>SCCM-Group4</ns2:AttributeValue>

    </ns2:Attribute>

     



  • 22.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-28-2017 12:06 PM

    We created two Attribute Mappings (one for filtering using Applicattion1 and one for filtering using Application2). Then Created two SAML Attributes (i.e. GroupName-1 = FMATTR:VirtualAttribute-Application1 and GroupName-2 = FMATTR:VirtualAttribute-Application2) and was able to send these groups as part of two SAML Attributes.

     

    We wanted to use only one SAML Attribute to send all the groups (groups containing Application1 and also groups containing Application2). Need recommendations for doing this.



  • 23.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-28-2017 12:40 PM

    Himavanth Himavanth.Ganta

     

    Yes we can filter in a single expression multiple patterns. I provided one working option here in the blog above.

     

    Pasting it here again for easier reference and tailored to our request.

     

    Create Attribute Mapping (Virtual Attribute) using this Expression
    Filter(ENUMERATE(Get('isMemberOf'), STRING(RDN(STRING(%0), FALSE))), '*APP*') + "," + Filter(ENUMERATE(Get('isMemberOf'), STRING(RDN(STRING(%0), FALSE))), '*SCCM*')

     

    Then call the Virtual Attribute (Attribute Mapping) within SAML Attribute as FMATTR : VirtualAttributeName.



  • 24.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-28-2017 12:58 PM

    Here is the output I see.

     

    <ns2:Attribute Name="GroupID"

                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

    <ns2:AttributeValue>Application1-Group1</ns2:AttributeValue>

    <ns2:AttributeValue>Application1-Group2</ns2:AttributeValue>

    <ns2:AttributeValue>Application1-Group3</ns2:AttributeValue>

    <ns2:AttributeValue>Application1-Group4,Application2-Group1</ns2:AttributeValue>

    </ns2:Attribute>

     

    But not able to send Application2-Group1 in separate attribute value.

     

     



  • 25.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-28-2017 01:30 PM

    Aha I see,

     

    Try this.

     

    Create Attribute Mapping (Virtual Attribute) using this Expression
    Filter(ENUMERATE(Get('isMemberOf'), STRING(RDN(STRING(%0), FALSE))), '*APP*') + "^" + Filter(ENUMERATE(Get('isMemberOf'), STRING(RDN(STRING(%0), FALSE))), '*SCCM*')


  • 26.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-28-2017 02:07 PM

    Hubert,

     

    Thanks for the help.

     

    This expression works perfectly for us.

     

     

    Regards,

    Himavanth



  • 27.  Re: Send only subset of the groups in the SAML assertions

    Posted 11-28-2017 02:52 PM

    Thank You Himavanth Himavanth.Ganta for confirming back. Glad to know FMATTR works with Expression using AttributeMapping. Good learning and recap for me too.

     

    Regards

    Hubert



  • 28.  Re: Send only subset of the groups in the SAML assertions

    Posted 02-08-2018 02:30 PM

    Hi Hubert HubertDennis,

     

    Is there a way we can separate multi valued attribute using comma (,) instead of caret (^)?

     

    Regards,

    Himavanth



  • 29.  Re: Send only subset of the groups in the SAML assertions



  • 30.  Re: Send only subset of the groups in the SAML assertions

    Posted 06-20-2018 07:29 PM

    Hello Hubert,

     

    Sorry to hi-jack this thread, but hoping to get a quick resolution from you:

    Basically the user is assigned only one of three possible roles that we need to send in a single SAML attribute:

    (1) admin-user

    (2) power-user

    (3) user

     

    This expression works for me - - > GET('memberOf') CONTAINS ('org_manager') ? "admin-user" : ""

     

    So with that expression I can pass the role value of "admin-user" in the SAML attribute, but what if the user is a member of the "org_developer" of which I would need to pass the corresponding role value of "power-user" instead, and like wise if the user is a member of "org_employee" then I would need to pass the role value of "user".

     

    I need to add onto this expression - - >  GET('memberOf') CONTAINS ('org_manager') ? "admin-user" : "" so that it will evaluate the two other possible AD groups from memberOf, something like this:

     

    GET('memberOf') CONTAINS ('org_manager') ? "admin-user" : "" + CONTAINS ('org_developer') ? "power-user" : "" + CONTAINS ('org_employee') ? "user" : ""



  • 31.  Re: Send only subset of the groups in the SAML assertions

    Posted 06-25-2018 09:48 AM

    Duc dmt953

     

    Am glad you took time and effort to open a new thread. It helps keep the discussion nuclear. I have replied on the thread you opened.

     

    Regards

    Hubert