I am trying to integrate Alicloud with CA Federation. The integration is similar to AWS and we are required to pass the below attribute as part of assertion:
I am stuck with the issue in case a user has multiple roles.Please note the roles in Alicloud are required to be passed in the below format:
<Attribute Name="https://www.aliyun.com/SAML-Role/Attributes/Role"> <AttributeValue>acs:ram::$account_id:role/role1,acs:ram::$account_id:saml-provider/provider1</AttributeValue> <AttributeValue>acs:ram::$account_id:role/role2,acs:ram::$account_id:saml-provider/provider1</AttributeValue> </Attribute>
To achieve this, tried multiple ways to form a expression in attribute mapping associated with the user directory but none of it works. The main challenge is concatenation of these static strings to the roles. I have managed to filter out the roles but adding the before and after strings is not working. As of now, I am using the below expression followed by FMATTR:Virtual Attribute Name as value in the federation patnership to the role attribute.
"acs:ram::***************:role/" + Filter(ENUMERATE(GET('FMATTR:memberOf'),String(RDN(STRING(%0),FALSE))),'ABC*') + ",acs:ram::***************:saml-provider/test-sp1"
The above does not work and is good only when the user has single role assigned.
Any help is much appreciated.