IBM Security Verify

Expand all | Collapse all

How can I get a user's groups on Active Directory with a mapping rule (SAML2.0)?

  • 1.  How can I get a user's groups on Active Directory with a mapping rule (SAML2.0)?

    Posted Tue August 17, 2021 11:11 AM
    Hello everybody,
    I have an ISVA environment with federated Active Directory.
    I have created a federation (ISVA is IdP) and I am currently passing the sAMAccountName attribute to the partner SP.
    I performed the following configuration on the reverse proxy:

    [TAM_CRED_ATTRS_SVC: eperson]
    code = sAMAccountName

    and I created the following mapping rule:

    var authnMethodAttr = new Attribute ("AuthnContextClassRef", "urn: oasis: names: tc: SAML: 2.0: assertion", "urn: oasis: names: tc: SAML: 2.0: ac: classes: Password");
    var attributeContainer = stsuu.getAttributeContainer ();
    var cn = attributeContainer.getAttributeValueByName ("code");
    var prinAttr = attributeContainer.getAttributeValueByName ("tagvalue_login_user_name");
    var principalAttr = new Attribute ("name", "urn: oasis: names: tc: SAML: 1.1: nameid-format: emailAddress", "" + cn);
    var sAMAccountName = new Attribute ("sAMAccountName", "urn: ibm: names: ITivoli Federated Identity Manager: 5.1: accessmanager", "" + cn);
    stsuu.clear(); 
    stsuu.clearAttributeList(); 
    stsuu.addPrincipalAttribute(principalAttr);
    stsuu.addAttribute(authnMethodAttr); 
    stsuu.addAttribute(sAMAccountName);


    The partner also requested the passage of some AD groups.
    How can I retrieve user groups on AD?

    A thousand thanks,
    Claudio

    ------------------------------
    Claudio Laganà
    ------------------------------


  • 2.  RE: How can I get a user's groups on Active Directory with a mapping rule (SAML2.0)?

    Posted Fri August 27, 2021 06:31 AM
    Hi Claudio,

    The easiest thing to do would be to import the AD groups you care about into Verify Access.  In that case they will appear as groups in the stsuu object and should be easy to send them on to the service provider.

    Otherwise I think you'd need to use the UserLookup helper class in the mapping rule to directly pull native group information from AD.  I think this is possible although I have not tried it myself.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: How can I get a user's groups on Active Directory with a mapping rule (SAML2.0)?

    Posted Tue September 14, 2021 06:28 AM
    Hi Jon,
    thank you for your suggestion.

    I used the UserLookup Helper and it worked!

    Thanks again,
    Claudio


    ------------------------------
    Claudio Laganà
    ------------------------------