CA SSO has SM_USERGROUPS response header and this pulls back the DN of each group seperate by ^.
If the legacy application is expecting group name (cn) only seperated by comma ',' is there a configurable way to do that?
We can do it via an Active Response but wondering if there was a none-coding way to do it. One benefit is this LDAP has memberOf attribute on the user object. Anyone done something similar?
Just looked up the source code, unfortunately the the delimiter is hardcoded to "^".
It's not configurable.
However, you can try to post processing the returned value using another Response using Expression ??:
Operators - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
The TRANSLATE function replaces all occurrences of one string found within a second string with a third string. The search is case-sensitive unless the optional Boolean is set to TRUE.
The TRANSLATE function has the following format:
TRANSLATE(source_string, search_string, replace_string[, not_case_sensitive])
Addtionally to what Urjwol siad, you can check the following :
How to set expression can be done at :
https://communities.ca.com/thread/241738111 https://communities.ca.com/thread/241738164 So in your case you would have to set something like
Expression : TRANSLATE(%SM_USERGROUPS, '^', ',')
> Works fine in my LAB
Thanks Julien for testing this out
Thank Ujwol, Julien.
Last time I look at expressions was in the v6.0 days!
To get multi-value CN of all the groups, docops Example 1 works.
Attributes and Expressions Reference - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
Virtual User Attribute #GetCN set to RDN( STRING(%0),FALSE)
I created an Expression #GetCN and used Enumerate. Example 2 does NOT work.
ENUMERATE(SM_USERGROUPS, STRING(RDN(%0, FALSE)))
So putting it all together to get CN with commas I use:
TRANSLATE(ENUMERATE(SM_USERGROUPS, #GetCN), '^', ',')
The result is: