Symantec Access Management

Expand all | Collapse all

Need help with using Expressions for SAML attributes

  • 1.  Need help with using Expressions for SAML attributes

    Posted Mar 26, 2018 07:48 PM

    Hello,

     

    We have a new SAML SP that requires us to pass some specific set of SAML attributes to them.  These are SAML DN attributes pulling the AD group "CN" value.  The problem we are facing is that the SAML SP requires that all of the SAML attributes to have values rather than an empty value SAML attribute.  We think that it may be possible to configure SAML attribute expressions to add a static value to any SAML DN attributes that does not have a value and hoping to get help on this.

     

    Thanks in advance!



  • 2.  Re: Need help with using Expressions for SAML attributes

    Posted Mar 27, 2018 03:02 AM

    I found this CA Community post which will work for my case scenario:  https://comm.support.ca.com/kb/juel-expressions-in-saml-assertions/kb000046464

     

    I followed the example and setup the following:

     

    1) I created an expression attribute named "EX_memberof" with the expression - - - >  FILTER(GET('memberOf'), '*jira*')

    2) In my SAML Partnership I configured a SAML attribute expression type with the following JUEL expression  - - - >  #{attr["EX_memberof"] == 'CN=jira-team123-team,OU=Permissions,DC=regence,DC=com' ? 'jira-user: 'Null-user'}

     

    I confirmed that my expression attribute does return several AD group DNs with the name starting with "jira-", which means that my SAML attribute should return the value of "jira-user" but instead it returns "null-user".  I have spent all day and night tweaking the JUEL expression but does not seem to make a difference.



  • 3.  Re: Need help with using Expressions for SAML attributes
    Best Answer

    Posted Mar 27, 2018 10:17 AM

    dmt953

     

    You know what I'd suggest, just use one form of EXPRESSION that way it is much simpler to administer and configure at a single central space, than scattering it over multiple place (like you have done with EXPRESSION in User Attribute and JUEL EXPRESSION in Partnership).

     

    The User Attribute in EXPRESSION can be updated as follows.

     

    User Directory : User Attribute : Expression : EX_memberof
    GET('memberOf') ~CONTAINS ('jira') ? "jira-user" : "null-user"

     

    In the Partnership within Assertion Attribute, simply use USER ATTRIBUTE and list "EX_memberof".

     

    The entire logic gets evaluated at one place i.e. in the USER ATTRIBUTE Expression and returns a single response value.

     

    I don't prefer JUEL as it is not as rich in feature set and functionality as the OPERATOR EXPRESSION which is available in USER ATTRIBUTE EXPRESSION. Given the current state of feature set and richness, what is more beneficial JUEL EXPRESSION or OPERATOR EXPRESSION; you can get an overview and decipher for yourself using this blog.



  • 4.  Re: Need help with using Expressions for SAML attributes

    Posted Mar 27, 2018 02:38 PM

    Hello Hubert, thank you so much for your response.

     

    I was very excited to try this solution, but it did not work for me.  This expression you gave me:  [GET('memberOf') ~CONTAINS ('jira*) ? "jira-user" : "null-user"]  kept on returning "null-user" for the attribute value.  I tried breaking it down and having it - - > GET('memberOf') ~CONTAINS ('*jira*') and it return value of "False" for the attribute.  Looks like for some reason this expression could not find my AD group "CN=jira-dev-teams,OU=Permissions,DC=regence,DC=com" of which I am a member of that group.

     

    To test to make sure that is finding this AD group from the "memberOf" attribute, I created another Expression attribute called "EX_jira2) with the following Expression - - > FILTER(GET('memberOf'), '*jira*') and it retured this value for the attribute:

     

    "<ns2:Attribute Name="AggCsv-roles-e"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><ns2:AttributeValue>CN=jira-team123-team,OU=Permissions,DC=regence,DC=com^CN=jira-dev-teams,OU=Permissions,DC=regence,DC=com</ns2:AttributeValue>"

     

    Could you look more into the expression that you gave me and help me figure out why it is not finding the "jira" AD group from the "memberOf" attribute?

     

    Much thanks!



  • 5.  Re: Need help with using Expressions for SAML attributes

    Posted Mar 27, 2018 03:04 PM

    dmt953

     

    Could you get me a screenshot of your expression. I see some typos in the expression.

     

    You were debugging this correctly by taking a stepped approach. Good investigation.

     

    Instead of this....

    GET('memberOf') ~CONTAINS ('*jira*')

    Try this.....

    GET('memberOf') ~CONTAINS ('jira')



  • 6.  Re: Need help with using Expressions for SAML attributes

    Posted Mar 27, 2018 03:16 PM

    I changed it back to - - > GET('memberOf') ~CONTAINS ('jira')

     

    and still seeing this attribute value:  <ns2:Attribute Name="AggCsv-roles-d"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><ns2:AttributeValue>FALSE</ns2:AttributeValue>



  • 7.  Re: Need help with using Expressions for SAML attributes

    Posted Mar 27, 2018 03:21 PM

    Since this expression - - > FILTER(GET('memberOf'), '*jira*')   does return my AD group: "CN=jira-dev-teams,OU=Permissions,DC=regence,DC=com"   then could I add that second statement - - > ? "jira-user" : "null-user"  so that it looks like this  - - - > FILTER(GET('memberOf'), '*jira*') ? "jira-user" : "null-user" ?

     

    I tried entering in that entire expression and clicked on "Submit" and the AdminUI gave me this error: 

    ErrorError:Task failed.
    FatalFatal:Failed to execute ModifyAttributeMappingEvent. ERROR MESSAGE: SmApiWrappedException:The first clause of a conditional expression must be boolean (not ).


  • 8.  Re: Need help with using Expressions for SAML attributes

    Posted Mar 27, 2018 04:37 PM

    Hubert.. I removed the "~" sign - - >  GET('memberOf') ~CONTAINS ('jira')

     

    so it looks like this - - > GET('memberOf') CONTAINS ('jira')

     

    and it work!

     

    Then I added the second statement and indeed, it worked as expected. 

     

    Thank you so much for your help, very much appreciated!

     

    Duc Tran



  • 9.  Re: Need help with using Expressions for SAML attributes

    Posted Mar 27, 2018 05:39 PM

    dmt953 Duc

     

    Good Debugging, always appreciate when the effort is shared both ways.

     

    I am glad this worked with CONTAINS.

     

    Just on an ending note ~CONTAIN is not Case Sensitive, so I thought it would have sufficed all use case e.g. JIVE, Jive, jive etc. Wanted to leave this note, just incase.

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/attributes-and-expressions-reference/operators#Operators-ContainmentOperators 

     

    Thank You Again for your efforts.

     

    Regards

    Hubert



  • 10.  Re: Need help with using Expressions for SAML attributes

    Posted Mar 27, 2018 03:45 AM

    [03/27/2018][01:38:40][3980131184][1877d59c-95929434-812947db-848f63e0-31eb6d02-ff6][SAMLSPEntitlementGenerator.java][processExpressionEvaluation][][][][][][][][Expression before evaluation: #{attr["EX_memberof"] == '*jira*' ? 'jira-team123-team' : 'Null-value'}]
    [03/27/2018][01:38:40][3980131184][1877d59c-95929434-812947db-848f63e0-31eb6d02-ff6][SAMLSPEntitlementGenerator.java][processExpressionEvaluation][][][][][][][][Return value: Null-value]
    [03/27/2018][01:38:40][3980131184][1877d59c-95929434-812947db-848f63e0-31eb6d02-ff6][SAMLSPEntitlementGenerator.java][generateValue][][][][][][][][Entitlement: NameAttrFormat = unspecified, Encrypt = false, Mode = User, AggCsv-roles-a = NOT PRINTABLE]
    [03/27/2018][01:38:40][3980131184][1877d59c-95929434-812947db-848f63e0-31eb6d02-ff6][AuthnRequestProtocol.java][generateAttributeStatement][][][][][][][][Generating SAML Assertion AttributeStatement...]
    [03/27/2018][01:38:40][3980131184][1877d59c-95929434-812947db-848f63e0-31eb6d02-ff6][AuthnRequestProtocol.java][processAttributes][][][][][][][][Raw Value: Null-value]
    [03/27/2018][01:38:40][3980131184][1877d59c-95929434-812947db-848f63e0-31eb6d02-ff6][AuthnRequestProtocol.java][generateAttributeStatement][][][][][][][][Require to Encrypt Attribute: false]
    [03/27/2018][01:38:40][3980131184][1877d59c-95929434-812947db-848f63e0-31eb6d02-ff6][AuthnRequestProtocol.java][processRequest][][][][][][][][The authentication request is processed successfull