releasing AD group names

IAM David Bantz dabantz at
Fri Apr 8 20:58:55 UTC 2022

Working to integrate existing enterprise service to SAML SSO & attribute
release. The service relies on users’ AD group memberships for fine-grained
access control, maintained in a specific OU in AD, sorta like

I set up an attribute release/filter policy to release users' AD group
memberships from that specific OU. However, turns out they do not want the
full DN of the group, only the CN value, “role1”, role7”, etc. from that
OU. They insist the SAML attribute value must exactly match the CN names
used in the app (i.e., “role8’, etc., not the full DN of the group). Is
this a common requirement?

I have not figured out a release policy and/or attribute rule that would do
that - perhaps not surprising given the name and function of  attribute-
*filter*.xml (i.e., to filter resolved attributes, not manipulate values).
But perhaps I’ve missed something clever using a combination of policy
requirement and attribute rule with regex?

For this single service, it’s not a big deal to create a custom SP-specific
mapped attribute in the attribute-resolver to contain the CN’s from the
right OU, then release that custom attribute. Is that the appropriate
solution? I ask because that strategy doesn’t scale well; if there will be
many services with similar need there must be a better way…

David St Pierre Bantz
U Alaska IAM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list