Symantec Access Management

 View Only
  • 1.  Expression in Federation to add after uid

    Posted Jan 03, 2019 03:31 AM

    Dear All,


    Wish you all a Very Happy and Prosperous New Year 2019.



    Here is my question.


    I am trying to add a string "" after uid.


    1. I have created a expression and used that expression in user directory as suggested in various threads.



    2. I have used the expression name from user directory in the federation Assertion Attribute as below.


    but still i am not able to get what i am looking for. that is (


    How can i get this manipulated and passed into the assertion.


    and below is the log i see, which is empty.


    <ns2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">josch@****.**</ns2:NameID>
    <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <ns2:SubjectConfirmationData NotOnOrAfter="2019-01-03T08:19:48Z" Recipient=""/>
    <ns2:Conditions NotBefore="2019-01-03T08:17:48Z" NotOnOrAfter="2019-01-03T08:19:48Z">
    <ns2:AuthnStatement AuthnInstant="2019-01-03T08:18:18Z" SessionIndex="6DlqRYL6Ct0N6mkpMsQ5lZX1FcY=5GZC9A==" SessionNotOnOrAfter="2019-01-03T08:19:48Z">
    <ns2:Attribute Name="EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:Attribute Name="UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:Attribute Name="ImmutableID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:Attribute Name="First name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:Attribute Name="Last name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">


    in the logs, UPN value is empty and nothing is passed to the assertion.


    any clue or suggestion will be really great.


    PS: I have referred to following threads, before posting this question here.


  • 2.  Re: Expression in Federation to add after uid

    Posted Jan 04, 2019 03:47 AM

    Patrick-Dussault Chris_Hackett



    Any suggestions on the above would be appreciated.


    Wish you and your family a Happy and Prosperous New Year 2019.

  • 3.  Re: Expression in Federation to add after uid
    Best Answer

    Broadcom Employee
    Posted Jan 04, 2019 10:03 AM

    Hi ChristJs,


    I believe this is what you are looking for.


    Creating expression at directory level will not help in federation scenario as the attribute values are fetched at run time from listed user directories in partnership level. Hence you need to create expression within the partnership Assertion Attributes.






    <ns2:Attribute Name="departmentnumber"



    <ns2:Attribute Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" >



    <ns2:Attribute Name="uidtest" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" >







  • 4.  Re: Expression in Federation to add after uid

    Posted Jan 04, 2019 10:13 AM



    I see in your Expression you are using




    Please change the expression to only




    The remainder of the configuration looks good. Albeit I'd directly paste the Expression within Attribute Mapping (Expression Radio Button selected) in User Directory; just to avoid a clutter of linked objects (e.g Named Expression --> Attribute Mapping --> Federation Partnership VS Attribute Mapping --> Federation Partnership).




  • 5.  Re: Expression in Federation to add after uid

    Posted Jan 07, 2019 01:29 AM



    I tried what you have suggested. but the value from the attibute mapping isn't passed to assetion. where as later suggested by you and mutas02 did work. when I tried this expression, I didn't add #{attr[uid]} in the expression.

    Thank you HubertDennis and mutas02



    Joseph Christie