How can I filter groups based off of a search filter?

    Applies to:
  • SecureAuth Identity Platform
  • Legacy SecureAuth IdP
Deployment model:
  • Cloud
  • Hybrid
  • On Premises
  • Version Affected:  All


    In some cases, an Admin may want to filter groups allowed to login to a realm without using Adaptive Authentication. This filtering can be done through the search filter on the data tab of each realm of the IdP.



    Users may be members of many groups within your Active Directory which in turn, makes logging in take longer periods of time.



    Here are a few search filters that will allow filtering when searching Active Directory directly via the Data Tab configuration.

    The default samaccountname search:

    • (&(samAccountName=%v)(objectclass=user))

    The default userprincipalname search:

    • (&(userPrincipalName=%v)((objectclass=user)(objectcategory=person)))

    To search for username, e-Mail or UPN:

    • (&(objectclass=user)(|(samaccountname=%v)(mail=%v)(userprincipalname=%v)))

    To search for members of nested groups:

    • (&(samAccountName=%v)(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=VPN Groups,OU=Groups,DC=dom,DC=ext))

    To search for a member of a specific group:

    • (&(samAccountName=%v)(objectclass=user)(memberOf:=CN=VPN Groups,OU=Groups,DC=dom,DC=ext))

    To search for a member of a specific group starting with a few characters:

    • (&(samAccountName=%v)(objectclass=user)(memberOf:=CN=VPN\2A,OU=Groups,DC=dom,DC=ext))



    Special Considerations (optional as needed):  

    These filters have only been tested using Active Directory as the Membership Connection Settings. Other LDAP configurations may require different filter structures.



    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful



    Please sign in to leave a comment.