This topic has 4 replies, 4 voices, and was last updated 1 month ago by Jatinder Singh.

  • Author
  • #28424

    Hi Team,

    I would like to know how can I customize SAML response so that I get attributes value correctly under the Groups.

    My current response is

    <saml:Attribute Name=”Groups”>

    <saml:AttributeValue xsi:type=”xs:string” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221; xmlns:xs=”http://www.w3.org/2001/XMLSchema”>cn=ABC_USER,ou=People,ou=subscribers,dc=dta,dc=gov,dc=ky</saml:AttributeValue&gt;

    My expectation is

    <saml:Attribute Name=”Groups”>
    <saml:AttributeValue xsi:type=”xs:string” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221; xmlns:xs=”http://www.w3.org/2001/XMLSchema”>ABC_USER</saml:AttributeValue&gt;

    I would like to know how can I get the group name value directly instead of the cn, ou key words in the response

    What I must change in the configuration/setup to get as expected.

    Thanks, AJ


    You have a few options:
    1. Create a virtual attr in the datastore directory which would put the group name on user profile (and then map that attr in the AM’s datastore config).
    2. Write a custom attr mapper to parse out the group name from the group dn
    3. Ask the SP application to parse the group name out the DN when assertion is being processed

    In my experience if the app owner is unwilling to do #3 then #1 is the easiest way to do this. #2 requires extending a java class and deploying the mapper jar in the openam war. Definitely a lot more work.

    My 2 cents and good luck.

    • This reply was modified 1 month, 1 week ago by ssripathy1.
     Jatinder Singh

    @ssripathy1 Thank you for the answer. If possible, could you please elaborate on the first half (DS side) of your suggestion #1. For example, what type of attribute to use e.g. User Defined vs. other and whether a custom Java extension class is required.

    Thanks and much appreciated!

     Andy Cory

    Hi @jsingh

    I think ssripathy1 means something like this:

    dsconfig "cn=directory manager" -w password -n create-virtual-attribute \
      --type user-defined --name "groupMembership" \
      --set attribute-type:groupMembership --set enabled:true \
      --set value:ABC_USER --set filter:"(&(objectClass=person)(isMemberOf=cn=ABC_USER,ou=People,ou=subscribers,dc=dta,dc=gov,dc=ky))"

    This would be a user-defined attribute type as you suggest, and would ensure that the virtual attribute named groupMembership would be present in the identity and have a value of ABC_USER if the identity matched the filter – i.e., if the identity was a member of the cn=ABC_USER,ou=People,ou=subscribers,dc=dta,dc=gov,dc=ky group. The custom groupMembership attribute would have to be defined in the DS schema, but no Java extension class would be required.


     Jatinder Singh

    Thanks, Andy, for the answer!

    While I was able to get it working using the group-dn, the isMemberOf in the virtual attribute filter as mentioned in your answer above didn’t work. And I did check the ACI around it – and it is available to anyone. And when I run a simple LDAP search with the isMemberOf filter, it returns the correct result.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?