Juel Expressions in SAML Assertions

Document ID : KB000046464
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary: 

I am trying to configure Cisco Meraki application with CA SSO. As per the document, meraki expects Role attribute in the assertion. We (IDP) would like to check the Administrators based on a AD group and if the user is a member of the group, then pass him as Administrator, if not as a User.

I have the following expression set.

#{attr["memberOf"] == 'CN=Guests,CN=Builtin,DC=pineapple,DC=ca,DC=com' ? 'Administrator' : 'User'}

During the Assertions, I do not see myself being passed as the Administrator even though I am the member of Guests Group. Is "MemberOf", being checked? Is the expression format correct?

Background:  

Claims transformation manipulates claims during a federated single sign-on transaction. Claims, also known as attributes, help customize the attributes and improve the user experience at a partner.

Modifying assertion attributes lets the relying party adapt user information so a target application can use it.

Claims transformation occurs at the local asserting party during the assertion generation process. You configure the feature on a per-partnership basis. An assertion can be modified whether a local or remote party generates the assertion. Claims are transformed based on an expression that you configure for the partnership. The expression relies on user information from the user store and the CA SiteMinder® session store.

Prerequisites for Claims Transformation

Before you configure claims transformation, consider the following prerequisites:

Be familiar with the user store and session store attributes available.

Determine which attributes the relying party expects to receive in an assertion.

Be familiar with Java Unified Expression Language (JUEL), an open source version of the Unified Expression Language.

Environment:  

R12.5, R12.52 SP1, R12.52 SP2

Instructions: 

Please follow below steps to implement the use case.

1. Create an Attribute Mapping on the User Directory.

ad_grp

2. Select expression option

Paste the expression in Definition Section: FILTER(GET('memberOf'), '*Guests*')

Note: Mention the group name which you want to filter accordingly in place of "Guests".

3) Use ad_grp as the name of the attribute in JUEL expression like below

#{attr["ad_grp"] == 'CN=Guests,CN=Builtin,DC=pineapple,DC=ca,DC=com' ? 'Administrator' : 'User'}

attrmapp.JPG

Additional Information:

Refer More Details on https://communities.ca.com/message/241911740