Need to pass user group attribute in SAML assertions in forgerock SP?

While configuring SP in forgerock, I want to pass “effective group” or attribute defining user group in forgerock. I can’t able to find how to pass user group attribute in SAML assertions? Please help need assistance in this.

You are looking for IDP Attribute mapping. In the IDCloud version, I would recommend to check this URI for documentation. And if you are following that guide, you would need to inject the user group information in one of your mappings. For example, reading ismemberof virtual attribute from the profile and mapping it to the outgoing role attribute.

You will need to define a custom SAML2 IDP Attribute Mapper script. Use below script as an example,

1 Like

Hi @jsingh ,

Since this requires some customisation the script link you provided which I seen already is not much helpful to be… I am currently using ForgeRock Identity cloud which is very new to me … so if possible can you provide me sample script lines where user is assigned to particular group and I want to send that group name in SAML assertions…it would be more helpful thank you in advance

Hi there,

Currently I am passing user group information through “IsMemberOf” attribute.
SAML attribute : Group, local attribute: IsMemberOf. But I am receiving response in this format “cn=Broker, ou=groups, o=alpha, o=root, ou=identities”. I want to get “Broker” alone in SAML assertion. Is it possible to send group name alone through assertion or its not possible. If possible please let me where and how the logic should be.

Hi @Suriya

To make a change like this you will need to configure your IDP to use a custom Saml2 IDP Attribute Mapper script, which can be defined on the Assertion Processing tab of your IDP configuration.

Within the script, you will need to write some code to handle the manipulation of the returned results for the isMemberOf attribute (note: you only want to do this manipulation when the attribute being processed is isMemberOf, so add the appropriate check to your code for this). To handle this manipulation, once you have the DN of the group as the full string you can then utilize existing libraries to manipulate that string and return just the name of the group. For example, assuming you’ve assigned the full string of the group’s DN to a variable called groupName:

groupObject = new frJava.LdapName(groupName);
displayName = groupObject.getRdn(groupObject.size()-1).getValue().toString();

Once you have just the displayName you can add that to a HashSet of values to be returned, and then build the returned attribute using that set of values. If you use this approach above, don’t forget to whitelist the javax.naming.ldap.LdapName class and include javax.naming.ldap.LdapName in the classes imported via JavaImporter.

1 Like

Hi there,
Thank you for your answer. But the problem I am facing is I can’t able to get “isMemberOf” value in attribute mapper script like you mentioned in above answer getting DN of group as full string and assigning it to variable “groupName”. I am facing problem in that step itself. In SAML assertion it can pass full group name like this “cn=Broker, ou=groups, o=alpha, o=root, ou=identities” but I don’t know how to have hand on this value inside script. I have tried using “stringValueMap.get(isMemberOf)” also idpAttributeMapperScriptHelper.getPropertySet(session, “isMemberOf”), Both of this method can’t pass me the value of isMemberOf.
Need help in this part.

Hi @Suriya

I’m not quite sure i’m following where you are experiencing the issue. If you have already configured the attribute mapping for your SP via the Assertion Processing tab (assigning the Local Attribute isMemberOf to the SAML Attribute groupName), the existing code in the Saml2 IDP Attribute Mapper script should be retrieving those values via this line of code:

attributeValues = stringValueMap.get(localAttribute);

In this line of code above, the stringValueMap was populated earlier via this line of code, which uses the stringAttributes HashSet containing all of the local attributes that were defined for the attribute mapping:

stringValueMap = idpAttributeMapperScriptHelper.getAttributes(session, stringAttributes);

Are you stating that once you configure your IDP to utilize the Saml2 IDP Attribute Mapper script, you are no longer even able to retrieve the full list of group distinguished names? It sounds like what has happened is that you’ve possibly removed the configuration in your SP that will map that local attribute to the SAML attribute. Without that configuration you’d need to make multiple other changes to the script’s code to retrieve that attribute’s values and map it to a SAML attribute.

1 Like

Hi @mwtech,

Thank you so much for your support. Finally I can able to achieve the requirement.

1 Like

Hi @mwtech,

I have different requirement, we have multiple values in ldapgroup attribute, we need to send only specific group if user is part of that group as now its sending morethat 100 groups. please provide code fix for this if possible.


Hi @cpera

The code to do this would also be placed into the Saml2 IDP Attribute Mapper script. Have you attempted to place your logic in that script? Once you’ve retrieved the full list of groups you can just iterate through that to find the group you are looking for.

As for how you identify the group you are looking for, there are many ways you could approach that but I suggest leveraging the Local Attribute in your SAML configuration.


Thank you this is resolved with the IDP mapper script

1 Like