Cirrus
NimbostratusThis seems that it might address the issue I'm trying to solve.
I set up a SAML/SSO and they want me to provide the list of AD groups. so I'm sending them the session.ad.last.attr.memberOf array in the response.
But this contains much, much, more than the service provider needs or probably should be shared with them.
It looks like this code will go through each entry of the array and creating a modified result. So if I add the check to see if it matches the type of membership string they are looking for I could limit it to only those?!
I think it would be better if the AD request could be filtered to only return to me those items, and if that is possible it would be preferred, but I haven't found anything to do that type of operation (and would be grateful if there is someone who knows if there is).
Basically want to return a modified result which is the same as the session.ad.last.attr.memberOf array with only the array members that match. Any ideas? Go! (and thanks).
Nimbostratusfigured a good method for a filtered list:
set list "|";
foreach element [split [mcget {session.ad.last.attr.memberOf}] "|"] {
if { $element contains "XYZ"}{ append list "$element | "; }
}
return $list;
`
Returns all groups that contain string XYZ
Now adding some of the logic above to limit the return to only CN= of each group entry:
` set list "|";
foreach element [split [mcget {session.ad.last.attr.memberOf}] "|"] {
regexp {CN=([^,]+)} $element CNFull CNValue;
if { $CNValue contains "IS&T"}{
append list " $CNFull |";
}
}
return $list;
(or append $CNValue if the CN= isn't wanted/needed in the resulting list).