Symantec Access Management

Expand all | Collapse all

Expression in Federation to add @xyz.com after uid

Jump to Best Answer
  • 1.  Expression in Federation to add @xyz.com after uid

    Posted 01-03-2019 03:31 AM

    Dear All,

     

    Wish you all a Very Happy and Prosperous New Year 2019.

    HubertDennis

     

    Here is my question.

     

    I am trying to add a string "@xyz.com" after uid.

     

    1. I have created a expression and used that expression in user directory as suggested in various threads.

     

     

    2. I have used the expression name from user directory in the federation Assertion Attribute as below.

     

    but still i am not able to get what i am looking for. that is (uid@xyz.com).

     

    How can i get this manipulated and passed into the assertion.

     

    and below is the log i see, which is empty.

     

    </ds:Signature>
    <ns2:Subject>
    <ns2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">josch@****.**</ns2:NameID>
    <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    <ns2:SubjectConfirmationData NotOnOrAfter="2019-01-03T08:19:48Z" Recipient="https://login.microsoftonline.com/login.srf"/>
    </ns2:SubjectConfirmation>
    </ns2:Subject>
    <ns2:Conditions NotBefore="2019-01-03T08:17:48Z" NotOnOrAfter="2019-01-03T08:19:48Z">
    <ns2:OneTimeUse/>
    <ns2:AudienceRestriction>
    <ns2:Audience>urn:federation:MicrosoftOnline</ns2:Audience>
    </ns2:AudienceRestriction>
    </ns2:Conditions>
    <ns2:AuthnStatement AuthnInstant="2019-01-03T08:18:18Z" SessionIndex="6DlqRYL6Ct0N6mkpMsQ5lZX1FcY=5GZC9A==" SessionNotOnOrAfter="2019-01-03T08:19:48Z">
    <ns2:AuthnContext>
    <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
    </ns2:AuthnContext>
    </ns2:AuthnStatement>
    <ns2:AttributeStatement>
    <ns2:Attribute Name="EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:AttributeValue>josch@***.xx</ns2:AttributeValue>
    </ns2:Attribute>
    <ns2:Attribute Name="UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:AttributeValue/>
    </ns2:Attribute>
    <ns2:Attribute Name="ImmutableID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:AttributeValue>josch</ns2:AttributeValue>
    </ns2:Attribute>
    <ns2:Attribute Name="First name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:AttributeValue>Joseph</ns2:AttributeValue>
    </ns2:Attribute>
    <ns2:Attribute Name="Last name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:AttributeValue>Christie</ns2:AttributeValue>
    </ns2:Attribute>
    <ns2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <ns2:AttributeValue>josch</ns2:AttributeValue>
    </ns2:Attribute>
    </ns2:AttributeStatement>
    </ns2:Assertion>

     

    in the logs, UPN value is empty and nothing is passed to the assertion.

     

    any clue or suggestion will be really great.

     

    PS: I have referred to following threads, before posting this question here.

     

    https://communities.ca.com/thread/241738164

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/attributes-and-expressions-reference/

    https://communities.ca.com/thread/241751620
    https://communities.ca.com/thread/241782406-using-expression-in-a-federation-partnership
    https://communities.ca.com/thread/100045213
    https://communities.ca.com/thread/241738111



  • 2.  Re: Expression in Federation to add @xyz.com after uid

    Posted 01-04-2019 03:47 AM

    Patrick-Dussault Chris_Hackett

     

    Patrick, 

    Any suggestions on the above would be appreciated.

     

    Wish you and your family a Happy and Prosperous New Year 2019.



  • 3.  Re: Expression in Federation to add @xyz.com after uid
    Best Answer

    Posted 01-04-2019 10:03 AM

    Hi ChristJs,

     

    I believe this is what you are looking for.

     

    Creating expression at directory level will not help in federation scenario as the attribute values are fetched at run time from listed user directories in partnership level. Hence you need to create expression within the partnership Assertion Attributes.

     

     

    Output:

    </ns2:AuthnStatement>

    <ns2:AttributeStatement>

    <ns2:Attribute Name="departmentnumber"
    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

    <ns2:AttributeValue>AdminDept</ns2:AttributeValue>

    </ns2:Attribute>

    <ns2:Attribute Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" >

    <ns2:AttributeValue>Jones</ns2:AttributeValue>

    </ns2:Attribute>

    <ns2:Attribute Name="uidtest" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" >

    <ns2:AttributeValue>bjones@demo.com</ns2:AttributeValue>

    </ns2:Attribute>

    </ns2:AttributeStatement>

     

    Regards

    Ashok



  • 4.  Re: Expression in Federation to add @xyz.com after uid

    Posted 01-04-2019 10:13 AM

    ChristieJS

     

    I see in your Expression you are using

     

    Return_value=Get('uid')+'@cartoonnet.com'

     

    Please change the expression to only

     

    Get('uid')+'@cartoonnet.com'

     

    The remainder of the configuration looks good. Albeit I'd directly paste the Expression within Attribute Mapping (Expression Radio Button selected) in User Directory; just to avoid a clutter of linked objects (e.g Named Expression --> Attribute Mapping --> Federation Partnership VS Attribute Mapping --> Federation Partnership).

     

    Regards

    Hubert



  • 5.  Re: Expression in Federation to add @xyz.com after uid

    Posted 01-07-2019 01:29 AM

    HubertDennis,

     

    I tried what you have suggested. but the value from the attibute mapping isn't passed to assetion. where as later suggested by you and mutas02 did work. when I tried this expression, I didn't add #{attr[uid]} in the expression.

    Thank you HubertDennis and mutas02

     

    Regards,

    Joseph Christie