Symantec Access Management

  • 1.  RDN function not documented correctly

    Broadcom Employee
    Posted Mar 06, 2018 01:46 PM
      |   view attached

    Ref:  https://communities.ca.com/message/242025352-re-send-only-subset-of-the-groups-in-the-saml-assertions?commentID=242025352#comment-242025352

    I am working with a customer who also wanted to send only a subset of groups in SAML assertions.  Unlike the referenced post, my customer wanted to send the full DN of the group rather than just the group name, so I spent some time getting familiar with the earlier post.  Let’s use the simpler case of only needing to search for one group string rather than multiples.

    filter(ENUMERATE(Get('memberOf'),STRING(RDN(STRING(%0),FALSE))),'*Super*')

    I have created a response and assigned the output of the filter to ATTR_HEADER_USER.  ATTR_MEMBEROF shows all groups to which I belong:

    HTTP_ATTR_HEADER_USER=AdminLevel_SuperUser

    HTTP_ATTR_MEMBEROF=cn=AdminLevel_000,ou=Groups,ou=SiteMinder,ou=Applications,dc=my,dc=org^cn=AdminLevel_SuperUser,ou=Groups,ou=SiteMinder,ou=Applications,dc=my,dc=org

    Seems OK, but there’s actually something wrong:  the RDN function is not documented correctly.

    From the current documentation:

    Current Documentation

    The RDN function has the following format:

    RDN(DN_string[, remove_name])

    Parameters

    The RDN function accepts the following parameters:

    1. DN_string (string)
      LDAP Distinguished Name
    2. remove_name
      (Optional) When set to TRUE (the default), the attribute name is removed from the returned string. When set to FALSE, the attribute is included in the returned string.

    According to this document, the ATTR_HEADER_USER should include the attribute if remove_name = FALSE in the RDN function.  I built a table to show various results to better understand the RDN function (please see attached spreadsheet).  Based on my findings, the documentation for the RDN function should be:

    Corrected documentation
    The RDN function has the following format:

    RDN(DN_string[, keep_name])

    Parameters

    The RDN function accepts the following parameters:

    1. DN_string (string)
      LDAP Distinguished Name
    2. keep_name
      (Optional) When set to FALSE (the default), the attribute name is removed from the returned string. When set to TRUE, the attribute is included in the returned string.

    This function has been around a long time, so I would feel better if someone could duplicate my results before I submit a request for the documentation to be corrected.

    Attachment(s)



  • 2.  Re: RDN function not documented correctly
    Best Answer

    Broadcom Employee
    Posted Apr 02, 2018 11:28 AM

    Hi Richard,

     

    Please open a Support Case to investigate your findings.

     

    Thanks,

     

    Rick



  • 3.  Re: RDN function not documented correctly

    Broadcom Employee
    Posted Apr 02, 2018 04:05 PM

    Just closing the loop here:  I have logged an internal case for this issue, CA Support #01001480, RDN function not documented correctly.



  • 4.  Re: RDN function not documented correctly

    Broadcom Employee
    Posted Apr 05, 2018 05:14 PM

    Case update:  CA Support has confirmed this bug and will open a defect with sustaining engineering.



  • 5.  Re: RDN function not documented correctly

    Broadcom Employee
    Posted Jun 23, 2018 11:04 AM

    Just closing the loop:  CA Support confirmed that sustaining engineering corrected the documentation.