Ref: https://communities.ca.com/message/242025352-re-send-only-subset-of-the-groups-in-the-saml-assertions?commentID=242025352#comment-242025352
I am working with a customer who also wanted to send only a subset of groups in SAML assertions. Unlike the referenced post, my customer wanted to send the full DN of the group rather than just the group name, so I spent some time getting familiar with the earlier post. Let’s use the simpler case of only needing to search for one group string rather than multiples.
filter(ENUMERATE(Get('memberOf'),STRING(RDN(STRING(%0),FALSE))),'*Super*')
I have created a response and assigned the output of the filter to ATTR_HEADER_USER. ATTR_MEMBEROF shows all groups to which I belong:
HTTP_ATTR_HEADER_USER=AdminLevel_SuperUser
HTTP_ATTR_MEMBEROF=cn=AdminLevel_000,ou=Groups,ou=SiteMinder,ou=Applications,dc=my,dc=org^cn=AdminLevel_SuperUser,ou=Groups,ou=SiteMinder,ou=Applications,dc=my,dc=org
Seems OK, but there’s actually something wrong: the RDN function is not documented correctly.
From the current documentation:
Current Documentation
The RDN function has the following format:
RDN(DN_string[, remove_name])
Parameters
The RDN function accepts the following parameters:
- DN_string (string)
LDAP Distinguished Name - remove_name
(Optional) When set to TRUE (the default), the attribute name is removed from the returned string. When set to FALSE, the attribute is included in the returned string.
According to this document, the ATTR_HEADER_USER should include the attribute if remove_name = FALSE in the RDN function. I built a table to show various results to better understand the RDN function (please see attached spreadsheet). Based on my findings, the documentation for the RDN function should be:
Corrected documentation
The RDN function has the following format:
RDN(DN_string[, keep_name])
Parameters
The RDN function accepts the following parameters:
- DN_string (string)
LDAP Distinguished Name - keep_name
(Optional) When set to FALSE (the default), the attribute name is removed from the returned string. When set to TRUE, the attribute is included in the returned string.
This function has been around a long time, so I would feel better if someone could duplicate my results before I submit a request for the documentation to be corrected.