How can I filter Group DN's to only have the value of the CN?

Document ID : KB000104915
Last Modified Date : 08/08/2018
Show Technical Document Details
Issue:
We're running Policy Server in Federation, and when the Assertion Generator creates the saml response the group attribute has a long list of group names that contain the full DN.

Example: 
CN=admins,OU=Groups,DC=siteminder,DC=com^CN=helpdesk,OU=Groups,DC=siteminder,DC=com

How can we only return the value of the CN for the group DN?
Resolution:
The way that you can get just the CN value of the group membership attribute is by making a Custom attribute in the User Directory. To do this, you will need to do the following: 

1) Go to the User Directory the Users are members of. 
2) Go to the Attribute Mapping Section and click Create. 
3) Give a name to the new Virtual Attribute. 
4) In the Definition field, enter the following: 
FILTER( GET('memberOf') , '(?<=CN=)(.*)(?=,OU)' ) 

NOTE: This will Filter the Users Group Memberships down to just the value of the CN for the group DN. You may also need to replaced the OU with the proper type of container that the group is part of. For example, the Full DN above in the description (CN=admins,OU=Groups,DC=siteminder,DC=com) had no Groups OU and just the DC (CN=admins,DC=siteminder,DC=com), then OU would be replaced with DC.
Or you can come up with your own Regex to do a custom filter, this is just an example.

5) In the Federation Partnership, for the attribute value, Select User Attribute, and enter the Virtual Attributes name that you gave it in Step 3 

This will tell the Policy Server to get the Virtual Attribute and calculate its value to be used in the Assertion. 
Additional Information:
Basically, you have two arguments for FILTER(), the first is the value that you want to filter, and the second is the Regular Expression string to use to perform the filter. 

We use GET() to fetch the users attribute and its result will be the string that we are going to filter. 

Once FILTER() is done processing the string, it will return its result from the RegEx string '(?<=CN=)(.*)(?=,OU)'

How I came up with the RegEx string was to test with a RegEx tester site https://regexr.com/ and try and come up with a regex string that would only return the value of the CN of a Group DN. 

Expressions Documentation:

FILTER() : https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/policy-server-configuration/attributes-and-expressions-reference/operators#Operators-FILTERFunction--TestSetElements

GET() :  https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/policy-server-configuration/attributes-and-expressions-reference/operators#Operators-GETFunction--LocateAttributesinaUserDirectory