Symantec Access Management

  • 1.  User Attribute Mapping or Expression

    Posted May 04, 2017 07:21 PM

    Hello Everyone, Our AD is a combination of multiple domains which is exposed to SM using Global Catalog. I need to populate user's domain information from our Active Directory to send as a variable to back end applications. Unfortunately this info is not populated as an attribute in AD. So we chose to use SM Expressions to strip user information from user's DN.

    For ex: , I have the following DN and I need to extract bbr (first value of dc=) into a response variable.

     

    CN=Name,OU=objects,OU=loc,OU=COR,OU=what,DC=bbr,DC=cont,DC=where,DC=what,DC=com

     

    Step1:

    I have used AFTER expression to capture everything after  FIRST 'DC=' by using the following:

     

    AFTER(distinguishedName,'dc=',TRUE),

     

    policy server populates the result : bbr,DC=ad,DC=comp,DC=com"

     

    PS Trace shows: 

    [05/04/2017][17:51:36][4044376944][][][][][][][][][][][][][][Evaluated "AFTER(DISTINGUISHEDNAME,{dc=},TRUE)" as string (Type: string, Value: "na,DC=ad,DC=comp,DC=com")][][][XPSEval.cpp:366][12851][17:51:36.816][Evaluate][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

     

    Step2: I need to use BEFORE expression on the above output to extract 'bbr' string. So I have used a BEFORE condition on step 1's output as the source string and passed ',' as my parameter. 

     

    BEFORE(AFTER(distinguishedName,'dc=',TRUE),',') 

     

    However, SM draws a blank at this point and populated response with a blank. Am I making a syntax error somewhere? Can I club AFTER and BEFORE expressions?

    Note, I for the BEFORE function to work by itself such as BEFORE(distinguishedName,',',TRUE),',') correctly, but unable to combine the output with another function such as AFTER.

     

    Appreciate any help.



  • 2.  Re: User Attribute Mapping or Expression

    Posted May 04, 2017 07:46 PM

    Hi Anil,

     

    Have you tried declariing it as separate variable ?

     

    temp = AFTER(distinguishedName,'dc=',TRUE)

    final =  BEFORE(temp ,',') 



  • 3.  Re: User Attribute Mapping or Expression
    Best Answer

    Posted May 04, 2017 08:17 PM

    Just tested , its working for me

     

    Step 1. Created a named expression :

     

    #AFTER = AFTER(description,'dc=',TRUE)

    (Note : I was testing this with CA Directory so tested with description field after dumping the DN value into it )

     

     

     

    Step 2. Create Response to use the named expression:

    Final2= BEFORE(#AFTER,',')

     

     

     

    Result :

     



  • 4.  Re: User Attribute Mapping or Expression

    Posted May 05, 2017 12:42 PM

    Hi Ujwol, You are the man. I am able to get it to work them inside of a HTTP Response. However, I need this value in partnership assertion. However, assertion generator is not able to execure the expression , instead printing it as static value.

     

     Log shows:

    <ns2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:AttributeValue>BEFORE(#AFTER,",")</ns2:AttributeValue>

     

     

    I cant get the same executed in user Attribute mapping either.



  • 5.  Re: User Attribute Mapping or Expression

    Posted May 05, 2017 04:34 PM

    Never mind. This seems to be a bug which has been identified as per:

     

    How to format a nameID value in the assertion configuration for a federation partnership 

     

    I finally got the attribut emapping to work with this:

    Step1: Created an expression:

    AFTER=AFTER('distinguishedName','dc=',TRUE)

    Step2: Create  userattribute mapping with the following expression.

    (BEFORE(#AFTER,",")+"\"+sAMAccountName)

     

    Hope it helps someone.