I am working with a customer who also wanted to send only a subset of groups in SAML assertions. Unlike the referenced post, my customer wanted to send the full DN of the group rather than just the group name, so I spent some time getting familiar with the earlier post. Let’s use the simpler case of only needing to search for one group string rather than multiples.
I have created a response and assigned the output of the filter to ATTR_HEADER_USER. ATTR_MEMBEROF shows all groups to which I belong:
Seems OK, but there’s actually something wrong: the RDN function is not documented correctly.
From the current documentation:
The RDN function has the following format:
The RDN function accepts the following parameters:
According to this document, the ATTR_HEADER_USER should include the attribute if remove_name = FALSE in the RDN function. I built a table to show various results to better understand the RDN function (please see attached spreadsheet). Based on my findings, the documentation for the RDN function should be:
Corrected documentation The RDN function has the following format:
This function has been around a long time, so I would feel better if someone could duplicate my results before I submit a request for the documentation to be corrected.
Please open a Support Case to investigate your findings.
Just closing the loop here: I have logged an internal case for this issue, CA Support #01001480, RDN function not documented correctly.
Case update: CA Support has confirmed this bug and will open a defect with sustaining engineering.
Just closing the loop: CA Support confirmed that sustaining engineering corrected the documentation.