I had been monkeying around the past week tweaking all different possible ways of trying to accomplish this and folks here had helped gotten quite far but I am just about there.
What I need is to pass one SAML attribute which will contain only one of several possible user role values.
A) pass a SAML attribute name "UserRole"
B) Evaluate the user's "memberOf" AD attribute to see which of those three AD groups that the user belongs to and pass a corresponding role name:
(1) if user is member of AD group "org_manager" - - - > pass this role name value: "admin-user"
(2) if user is member of AD group "org_developer" - - - > pass this role value: "power-user"
(3) if user is member of AD group "org_employee" - - - > pass this role value: "user"
This expression works for me - - > GET('memberOf') CONTAINS ('org_manager') ? "admin-user" : ""
So with that expression I can pass the role value of "admin-user" in the SAML attribute if the user is a member of the "org_manager" AD group, but what if the user is a member of the "org_developer" of which I would need to pass the corresponding role value of "power-user" instead, and like wise if the user is a member of "org_employee" then I would need to pass the role value of "user".
I need to add onto this expression - - > GET('memberOf') CONTAINS ('org_manager') ? "admin-user" : "" so that it will evaluate the two other possible AD groups from memberOf, something like this:
GET('memberOf') CONTAINS ('org_manager') ? "admin-user" : "" + CONTAINS ('org_developer') ? "power-user" : "" + CONTAINS ('org_employee') ? "user" : ""
Would very much appreciate any help on figuring this out.
What if the user belongs to all three groups, or 2 groups, what would you want to return in this situation ?
One thing I can think of is virtual attrAttribute Mapping.
you can create 3 Attribute Mapping as follows
orgmanager --> FILTER(GET('memberOf'),'*org_manager*')
poweruser --> FILTER(GET('memberOf'),'*power-user*')
user --> FILTER(GET('memberOf'),'*user*')
The above Attributes will return the GROUP DN if the user belongs to it
Then , use these Attributes in the Expression under the partnership which will check if the first Attribute is null then check the second and if it has a value return .....
Just a thought
Very much appreciate your suggestion. Unfortunately our SP partner expects to digest the user's role/permission from only one specific SAML attribute so we would need an elaborate expression that would combine all of that into one attribute.
Again, thank you for the suggestion!
My apologies on the late revert, very busy on a current engagement. Hence trying to keep up on communities.
Joe suggested an approach above.
If we need it within one expression, here is a crude example using ONLY OPERATORS. I hate to invoke multiple code spaces within the Product feature set e.g. OPERATORS Expression under UD and JUEL Expression under Partnership; to achieve a single purpose. I prefer as far as possible to keep everything under one code space within the Product and try to achieve it as best as I could.
I haven't tested this (Ideally I'd test it to some extent, but really busy elsewhere). Hence kindly try this and let know your feedback.
Expression (Attribute Mapping in User Directory).
Create an Attribute Mapping within this Expression e.g. STATUS=<Expression>
If a User belongs to all three groups, it'd return
If a User belongs to only one group e.g. org-developer, it'd return
NOTE : I prefer some value (e.g. 0) rather than null or blank, hence I added "0" as failure condition. As it helps me better identify the conditions. Service Provider can always check for static values e.g. "0" means user does not belong to something specific.
Let me try to take this a step further for you.
In SAML world, the tendancy is to prefer multi-valued attributes in different lines rather than a single line (separated by "^"). Thus the beauty of using a single expression outside SAML Partnership, is that within SAML partnership assertion attribute, I could focus my effort on using reserved KEYWORDS with User Attributes, rather than using another layer JUEL expression.
This means in the SAML Partnership assertion attributes, I can define FMATTR:AttributeMapping_AttributeNameFromUD e.g. FMATTR:STATUS. What FMATTR would do is, it'd look at "^" and put each value in a separate line within the SAML Assertion Attribute. If we don't mention FMATTR everything appears in a single line separated by "^"; this is OOB behavior.
Hope this helps!
No need for apology, you have helped us immensely since we discovered CA Community as alternative for CA Support
Yes, one single expression is what we need and your example above should do exactly what our SAML SP requires.
This is the original expression that you had helped me with in the past - - > GET('memberOf') CONTAINS ('org_manager') ? "admin-user" : ""
So with that expression I tried extending it and at one point had it like this - - > GET('memberOf') CONTAINS ('jira-team123-Team-Web') ? "Jira" : "" + GET('memberOf') CONTAINS ('Fusion_User') ? "Fusion" : "" + GET('memberOf') CONTAINS ('confluence-dev-teams') ? "Confluence" : ""
But when I tried to save and submit then I get the following error from the Admin UI:
Failed to execute ModifyAttributeMappingEvent. ERROR MESSAGE: SmApiWrappedException:The second and third clauses of a conditional expression must be the same type (not and ).
This one worked on SAVE in WAMUI.
Kindly test and suggest back. Looking forward to hear of how the test went.
This worked perfectly.. thank you!!
I am also working on a similar use case.User is a part of 4 groups and SP needs the group name value in a single attribute. I used the xpression mentioned above but get 0^0^0^0 in the outgoing assertion.
We have OUD as the user directory. Do I need to change 'memberof' ti 'isMemberOf'.
Thanks in advance.
Looking at the OUD specific, it does seem to be "IsMemberOf".
Oracle Unified Directory - Is Member Of Virtual Attribute
Oracle Unified Directory - Member Virtual Attribute
Oracle Unified Directory - Virtual Attribute
Step-1 : Create a simple response in a Policy Domain and check if IsMemberOf works. If this works and returns all the groups, we can then proceed to use IsMemberOf within an expression for further processing.
If the requirement is "User is a part of 4 groups and SP needs the group name value in a single attribute". Then we need not create a expression. This is OOB functionality. To return all groups that a User belongs to in a single attribute, we can simply use "IsMemberOf" or "SM_USERGROUPS" or SM_USERNESTEDGROUPS". Below are some examples (especially the first link).
saml asserting party assertion with multi-valued attribute syntax
Nested group based authorization
Nested Groups in Response and in Policies
I think I did not explain the requirement clearly. SP needs 2 attributes.
1. UserGroup : There are 4 grps for the app. Now depending on what grp user is a member of they need a value which is not same as the actual grp name. If a user is a member of ABC group they are expecting "Admin"
in the attribute and so forth.
2. UserType : Same thing for this attribute. If a user is a part of ABC grp value for user type should be "Test".
This expression you gave above looked like a perfect fit for this use case. I am going to try what you suggested and share the results.
Makes sense now idamguy
We can use either "IsMemberOf" or "SM_USERGROUPS" or SM_USERNESTEDGROUPS" to return all the groups that the user belongs to and then use that within the expression. Looking to hear how the test went. Thank You.
it is working with "isMemberOf". I am doing some more testing for a couple of days with these and update this thread later.