Tagged: SAML Response
January 18, 2021 at 3:41 pm #28424ataneja7Participant
I would like to know how can I customize SAML response so that I get attributes value correctly under the Groups.
My current response is
<saml:AttributeValue xsi:type=”xs:string” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xs=”http://www.w3.org/2001/XMLSchema”>cn=ABC_USER,ou=People,ou=subscribers,dc=dta,dc=gov,dc=ky</saml:AttributeValue>
My expectation is
<saml:AttributeValue xsi:type=”xs:string” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:xs=”http://www.w3.org/2001/XMLSchema”>ABC_USER</saml:AttributeValue>
I would like to know how can I get the group name value directly instead of the cn, ou key words in the response
What I must change in the configuration/setup to get as expected.
Thanks, AJJanuary 18, 2021 at 10:28 pm #28425ssripathy1Participant
You have a few options:
1. Create a virtual attr in the datastore directory which would put the group name on user profile (and then map that attr in the AM’s datastore config).
2. Write a custom attr mapper to parse out the group name from the group dn
3. Ask the SP application to parse the group name out the DN when assertion is being processed
In my experience if the app owner is unwilling to do #3 then #1 is the easiest way to do this. #2 requires extending a java class and deploying the mapper jar in the openam war. Definitely a lot more work.
My 2 cents and good luck.
January 20, 2021 at 11:05 pm #28429Jatinder SinghParticipant
- This reply was modified 1 month, 1 week ago by ssripathy1.
@ssripathy1 Thank you for the answer. If possible, could you please elaborate on the first half (DS side) of your suggestion #1. For example, what type of attribute to use e.g.
User Definedvs. other and whether a custom Java extension class is required.
Thanks and much appreciated!January 27, 2021 at 12:52 pm #28439Andy CoryParticipant
I think ssripathy1 means something like this:
dsconfig "cn=directory manager" -w password -n create-virtual-attribute \ --type user-defined --name "groupMembership" \ --set attribute-type:groupMembership --set enabled:true \ --set value:ABC_USER --set filter:"(&(objectClass=person)(isMemberOf=cn=ABC_USER,ou=People,ou=subscribers,dc=dta,dc=gov,dc=ky))"
This would be a
user-definedattribute type as you suggest, and would ensure that the virtual attribute named
groupMembershipwould be present in the identity and have a value of
ABC_USERif the identity matched the filter – i.e., if the identity was a member of the
cn=ABC_USER,ou=People,ou=subscribers,dc=dta,dc=gov,dc=kygroup. The custom
groupMembershipattribute would have to be defined in the DS schema, but no Java extension class would be required.
-AndyJanuary 28, 2021 at 6:11 am #28442Jatinder SinghParticipant
Thanks, Andy, for the answer!
While I was able to get it working using the
isMemberOfin the virtual attribute filter as mentioned in your answer above didn’t work. And I did check the ACI around it – and it is available to anyone. And when I run a simple LDAP search with the isMemberOf filter, it returns the correct result.
You must be logged in to reply to this topic.