Using XSLT to filter groups to send in SAML Assertion

Follow

SecureAuth IdP Version Affected:  All

Description:  When trying to send ONLY specific groups in SAML assertions, the Group Filter Expression field is insufficient and does not work.

Cause:  In certain instances, the Group Filter Expression will not filter the groups correctly and instead will send either ALL the groups that the user is a member of, or none of the groups at all.  When this happens, you will have to enable XSLT Transformation Engine and create the filter manually.

Resolution:  In the Transformation engine, be sure to check the "Enable Transofrmation Engine" check box.

Scroll down to the GroupList attribute, and enter in the following:

<GroupList>
<Groups>
<xsl:for-each select="user/GroupList/Groups/Value">
<xsl:if test="contains(current(),'GROUP TO BE FILTERED')">
<Value>
<xsl:value-of select="current()" />
</Value>
</xsl:if>
</xsl:for-each>
</Groups>
</GroupList>

. . . where GROUP TO BE FILTERED is the partial or full name of the group you want to be included in the SAML assertion.

Multiple groups can be filtered this way, but adding additional IF TEST statements within the FOR loop:

<GroupList>
<Groups>
<xsl:for-each select="user/GroupList/Groups/Value">
<xsl:if test="contains(current(),'GROUP 1')">
<Value>
<xsl:value-of select="current()" />
</Value>
</xsl:if>

<xsl:if test="contains(current(),'GROUP 2')">
<Value>
<xsl:value-of select="current()" />
</Value>
</xsl:if>
</xsl:for-each>
</Groups>
</GroupList>

 

 

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.