Hello everybody,
I have an ISVA environment with federated Active Directory.
I have created a federation (ISVA is IdP) and I am currently passing the sAMAccountName attribute to the partner SP.
I performed the following configuration on the reverse proxy:

[TAM_CRED_ATTRS_SVC: eperson]
code = sAMAccountName

and I created the following mapping rule:

var authnMethodAttr = new Attribute ("AuthnContextClassRef", "urn: oasis: names: tc: SAML: 2.0: assertion", "urn: oasis: names: tc: SAML: 2.0: ac: classes: Password");
var attributeContainer = stsuu.getAttributeContainer ();
var cn = attributeContainer.getAttributeValueByName ("code");
var prinAttr = attributeContainer.getAttributeValueByName ("tagvalue_login_user_name");
var principalAttr = new Attribute ("name", "urn: oasis: names: tc: SAML: 1.1: nameid-format: emailAddress", "" + cn);
var sAMAccountName = new Attribute ("sAMAccountName", "urn: ibm: names: ITivoli Federated Identity Manager: 5.1: accessmanager", "" + cn);


The partner also requested the passage of some AD groups.
How can I retrieve user groups on AD?

A thousand thanks,
Claudio

------------------------------
Claudio Laganà
------------------------------

Hi Claudio,

The easiest thing to do would be to import the AD groups you care about into Verify Access.  In that case they will appear as groups in the stsuu object and should be easy to send them on to the service provider.

Otherwise I think you'd need to use the UserLookup helper class in the mapping rule to directly pull native group information from AD.  I think this is possible although I have not tried it myself.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Tue August 17, 2021 11:10 AM
From: Claudio Laganà
Subject: How can I get a user's groups on Active Directory with a mapping rule (SAML2.0)?

Hello everybody,
I have an ISVA environment with federated Active Directory.
I have created a federation (ISVA is IdP) and I am currently passing the sAMAccountName attribute to the partner SP.
I performed the following configuration on the reverse proxy:

[TAM_CRED_ATTRS_SVC: eperson]
code = sAMAccountName

and I created the following mapping rule:

var authnMethodAttr = new Attribute ("AuthnContextClassRef", "urn: oasis: names: tc: SAML: 2.0: assertion", "urn: oasis: names: tc: SAML: 2.0: ac: classes: Password");
var attributeContainer = stsuu.getAttributeContainer ();
var cn = attributeContainer.getAttributeValueByName ("code");
var prinAttr = attributeContainer.getAttributeValueByName ("tagvalue_login_user_name");
var principalAttr = new Attribute ("name", "urn: oasis: names: tc: SAML: 1.1: nameid-format: emailAddress", "" + cn);
var sAMAccountName = new Attribute ("sAMAccountName", "urn: ibm: names: ITivoli Federated Identity Manager: 5.1: accessmanager", "" + cn);

stsuu.clear(); 

stsuu.clearAttributeList(); 

stsuu.addPrincipalAttribute(principalAttr);

stsuu.addAttribute(authnMethodAttr); 

stsuu.addAttribute(sAMAccountName);

The partner also requested the passage of some AD groups.
How can I retrieve user groups on AD?

A thousand thanks,
Claudio

------------------------------
Claudio Laganà
------------------------------

Hi Jon,
thank you for your suggestion.

I used the UserLookup Helper and it worked!

Thanks again,
Claudio

------------------------------
Claudio Laganà
------------------------------

Original Message:
Sent: Fri August 27, 2021 06:30 AM
From: Jon Harry
Subject: How can I get a user's groups on Active Directory with a mapping rule (SAML2.0)?

Hi Claudio,

The easiest thing to do would be to import the AD groups you care about into Verify Access.  In that case they will appear as groups in the stsuu object and should be easy to send them on to the service provider.

Otherwise I think you'd need to use the UserLookup helper class in the mapping rule to directly pull native group information from AD.  I think this is possible although I have not tried it myself.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Tue August 17, 2021 11:10 AM
From: Claudio Laganà
Subject: How can I get a user's groups on Active Directory with a mapping rule (SAML2.0)?

Hello everybody,
I have an ISVA environment with federated Active Directory.
I have created a federation (ISVA is IdP) and I am currently passing the sAMAccountName attribute to the partner SP.
I performed the following configuration on the reverse proxy:

[TAM_CRED_ATTRS_SVC: eperson]
code = sAMAccountName

and I created the following mapping rule:

var authnMethodAttr = new Attribute ("AuthnContextClassRef", "urn: oasis: names: tc: SAML: 2.0: assertion", "urn: oasis: names: tc: SAML: 2.0: ac: classes: Password");
var attributeContainer = stsuu.getAttributeContainer ();
var cn = attributeContainer.getAttributeValueByName ("code");
var prinAttr = attributeContainer.getAttributeValueByName ("tagvalue_login_user_name");
var principalAttr = new Attribute ("name", "urn: oasis: names: tc: SAML: 1.1: nameid-format: emailAddress", "" + cn);
var sAMAccountName = new Attribute ("sAMAccountName", "urn: ibm: names: ITivoli Federated Identity Manager: 5.1: accessmanager", "" + cn);

stsuu.clear(); 

stsuu.clearAttributeList(); 

stsuu.addPrincipalAttribute(principalAttr);

stsuu.addAttribute(authnMethodAttr); 

stsuu.addAttribute(sAMAccountName);

The partner also requested the passage of some AD groups.
How can I retrieve user groups on AD?

A thousand thanks,
Claudio

------------------------------
Claudio Laganà
------------------------------