Using XSLT to filter groups to send in SAML Assertion

Follow
    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version Affected:  All

    Description:  When trying to send ONLY specific groups in SAML assertions, the Group Filter Expression field is insufficient and does not work.

    Cause:  In certain instances, the Group Filter Expression will not filter the groups correctly and instead will send either ALL the groups that the user is a member of, or none of the groups at all.  When this happens, you will have to enable XSLT Transformation Engine and create the filter manually.

    Resolution:  In the Transformation engine, be sure to check the "Enable Transformation Engine" check box.

    Scroll down to the GroupList attribute, and enter in the following:

    <GroupList>
    <Groups>
    <xsl:for-each select="user/GroupList/Groups/Value">
    <xsl:if test="contains(current(),'GROUP TO BE FILTERED')">
    <Value>
    <xsl:value-of select="current()" />
    </Value>
    </xsl:if>
    </xsl:for-each>
    </Groups>
    </GroupList>

    . . . where GROUP TO BE FILTERED is the partial or full name of the group you want to be included in the SAML assertion.

    Multiple groups can be filtered this way, but adding additional IF TEST statements within the FOR loop:

    <GroupList>
    <Groups>
    <xsl:for-each select="user/GroupList/Groups/Value">
    <xsl:if test="contains(current(),'GROUP 1')">
    <Value>
    <xsl:value-of select="current()" />
    </Value>
    </xsl:if>

    <xsl:if test="contains(current(),'GROUP 2')">
    <Value>
    <xsl:value-of select="current()" />
    </Value>
    </xsl:if>
    </xsl:for-each>
    </Groups>
    </GroupList>

     

     

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.