How to get group name CN from session.ad.last.attr.memberOf ?

you can use tcl in a variable assign VPE to make this work

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-visual-policy-editor-11-5-0/5.html

some more info on splitting

https://devcentral.f5.com/questions/splitting-a-delimited-string-into-multiple-variables-in-one-line-with-tcl-split-versus-getfield

Hi,

you can use this code:

session.ad.last.attr.memberOfLite

if { [info exists "groups"] }{unset groups;};
foreach value [mcget {session.ad.last.attr.memberOf}] {
regex {(CN=[^,]+)} $value CNFull CNValue;
lappend groups $CNValue;
unset CNFull;
unset CNValue;
};
return $groups

Stanislas' works with spaces in CN, for I have just tested it with tclsh. If you are running v11.6.1, there is an issue "512130-4 : Remote role group authentication fails with a space in LDAP attribute group name", which has been addressed in HF2 that's just been released on the weekend. See its release notes.

This seems that it might address the issue I'm trying to solve.

I set up a SAML/SSO and they want me to provide the list of AD groups. so I'm sending them the session.ad.last.attr.memberOf array in the response.

But this contains much, much, more than the service provider needs or probably should be shared with them.

It looks like this code will go through each entry of the array and creating a modified result. So if I add the check to see if it matches the type of membership string they are looking for I could limit it to only those?!

I think it would be better if the AD request could be filtered to only return to me those items, and if that is possible it would be preferred, but I haven't found anything to do that type of operation (and would be grateful if there is someone who knows if there is).

Basically want to return a modified result which is the same as the session.ad.last.attr.memberOf array with only the array members that match. Any ideas? Go! (and thanks).