releasing AD group names

Thomas M. Wilson Thomas.Wilson at
Fri Apr 8 21:37:36 UTC 2022

I just finished up implementing something very similar.  Rather than
using a mapped attribute why not use a regex split attribute?  This
seems to be working well for our setup.
    <AttributeDefinition id="memberOfMyApp" xsi:type="RegexSplit"
regex="^CN=([^,]*).+,OU=MyApp,.*">      <InputDataConnector
ref="myLDAP" attributeNames="memberOf" />      <AttributeEncoder
xsi:type="SAML2String" name="memberOfMyApp"
FriendlyName="memberOfMyApp"/>    </AttributeDefinition>
Tom WilsonUniversity of Wyoming Information Technology
-----Original Message-----From: IAM David Bantz via users <
users at>Reply-To: Shib Users <users at>To:
Shib Users <users at>Cc: IAM David Bantz <
dabantz at>Subject: releasing AD group namesDate: Fri, 08 Apr
2022 15:58:55 -0500

◆ This message was sent from a non-UWYO address. Please exercise
caution when clicking links or opening attachments from external

Working to integrate existing enterprise service to SAML SSO &
attribute release. The service relies on users’ AD group memberships
for fine-grained access control, maintained in a specific OU in AD,
sorta like CN=role1,OU=MyApp,OU=enterpriseservices…

I set up an attribute release/filter policy to release users' AD group
memberships from that specific OU. However, turns out they do not want
the full DN of the group, only the CN value, “role1”, role7”, etc. from
that OU. They insist the SAML
 attribute value must exactly match the CN names used in the app (i.e.,
“role8’, etc., not the full DN of the group). Is this a common

I have not figured out a release policy and/or attribute rule that
would do that - perhaps not surprising given the name and function of
 attribute-filter.xml (i.e., to filter resolved attributes, not
manipulate values). But perhaps
 I’ve missed something clever using a combination of policy requirement
and attribute rule with regex?

For this single service, it’s not a big deal to create a custom SP-
specific mapped attribute in the attribute-resolver to contain the CN’s
from the right OU, then release that custom attribute. Is that the
appropriate solution? I ask because
 that strategy doesn’t scale well; if there will be many services with
similar need there must be a better way…

David St Pierre Bantz
U Alaska IAM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4192 bytes
Desc: not available
URL: <>

More information about the users mailing list