While configuring SP in forgerock, I want to pass “effective group” or attribute defining user group in forgerock. I can’t able to find how to pass user group attribute in SAML assertions? Please help need assistance in this.
You are looking for IDP Attribute mapping. In the IDCloud version, I would recommend to check this URI for documentation. And if you are following that guide, you would need to inject the user group information in one of your mappings. For example, reading
ismemberof virtual attribute from the profile and mapping it to the outgoing
You will need to define a custom SAML2 IDP Attribute Mapper script. Use below script as an example,
Hi @jsingh ,
Since this requires some customisation the script link you provided which I seen already is not much helpful to be… I am currently using ForgeRock Identity cloud which is very new to me … so if possible can you provide me sample script lines where user is assigned to particular group and I want to send that group name in SAML assertions…it would be more helpful thank you in advance
Currently I am passing user group information through “IsMemberOf” attribute.
SAML attribute : Group, local attribute: IsMemberOf. But I am receiving response in this format “cn=Broker, ou=groups, o=alpha, o=root, ou=identities”. I want to get “Broker” alone in SAML assertion. Is it possible to send group name alone through assertion or its not possible. If possible please let me where and how the logic should be.
To make a change like this you will need to configure your IDP to use a custom
Saml2 IDP Attribute Mapper script, which can be defined on the Assertion Processing tab of your IDP configuration.
Within the script, you will need to write some code to handle the manipulation of the returned results for the
isMemberOf attribute (note: you only want to do this manipulation when the attribute being processed is
isMemberOf, so add the appropriate check to your code for this). To handle this manipulation, once you have the DN of the group as the full string you can then utilize existing libraries to manipulate that string and return just the name of the group. For example, assuming you’ve assigned the full string of the group’s DN to a variable called
groupObject = new frJava.LdapName(groupName); displayName = groupObject.getRdn(groupObject.size()-1).getValue().toString();
Once you have just the
displayName you can add that to a HashSet of values to be returned, and then build the returned attribute using that set of values. If you use this approach above, don’t forget to whitelist the
javax.naming.ldap.LdapName class and include
javax.naming.ldap.LdapName in the classes imported via
Thank you for your answer. But the problem I am facing is I can’t able to get “isMemberOf” value in attribute mapper script like you mentioned in above answer getting DN of group as full string and assigning it to variable “groupName”. I am facing problem in that step itself. In SAML assertion it can pass full group name like this “cn=Broker, ou=groups, o=alpha, o=root, ou=identities” but I don’t know how to have hand on this value inside script. I have tried using “stringValueMap.get(isMemberOf)” also idpAttributeMapperScriptHelper.getPropertySet(session, “isMemberOf”), Both of this method can’t pass me the value of isMemberOf.
Need help in this part.
I’m not quite sure i’m following where you are experiencing the issue. If you have already configured the attribute mapping for your SP via the Assertion Processing tab (assigning the Local Attribute
isMemberOf to the SAML Attribute
groupName), the existing code in the
Saml2 IDP Attribute Mapper script should be retrieving those values via this line of code:
attributeValues = stringValueMap.get(localAttribute);
In this line of code above, the
stringValueMap was populated earlier via this line of code, which uses the
stringAttributes HashSet containing all of the local attributes that were defined for the attribute mapping:
stringValueMap = idpAttributeMapperScriptHelper.getAttributes(session, stringAttributes);
Are you stating that once you configure your IDP to utilize the
Saml2 IDP Attribute Mapper script, you are no longer even able to retrieve the full list of group distinguished names? It sounds like what has happened is that you’ve possibly removed the configuration in your SP that will map that local attribute to the SAML attribute. Without that configuration you’d need to make multiple other changes to the script’s code to retrieve that attribute’s values and map it to a SAML attribute.
Thank you so much for your support. Finally I can able to achieve the requirement.