Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAML Assertions in role mapping

billiam_
Contributor
‎09-09-2014 12:40:PM
‎09-09-2014 12:40:PM

SAML Assertions in role mapping

We've recently configured an SA running 8.0R5 as a service provider with a Microsoft ADFS server on Server 2012 as the iDP. We can authenticate fine and the post is all working. We are now trying to take this a stage further to use claims returned in the assertion for stating which services the users are permitted access to. These are essentailly created by the ADFS server based on the users AD group membership. However a policy trace on the SA shows it reutrned as:

 

userAttr..http://schemas.xmlsoap.org/claims/Group = "Group1 Group2"

samlMultiValAttr.http://schemas.xmlsoap.org/claims/Group = "Group1", "Group2"

userAttr..http://schemas.microsoft.com/ws/2008/06/identity/claims/role"Group1 Group2"

samlMultiValAttr.http://schemas.microsoft.com/ws/2008/06/identity/claims/role"Group1", "Group2"

 

We have tried using this in a custom expression but can't due to the http://schemas.xmlsoap.org in the variable name, any suggests how to use the groups returned in SAML to control access?

0 Kudos
2 REPLIES 2
psignoret
New Member
‎09-07-2018 02:10:AM
‎09-07-2018 02:10:AM

Re: SAML Assertions in role mapping

Using version 9.0R1.01, I found I'm able to use a backslash to escape the dots in the namespace. I also found that samlMultiVarAttr is not present if there is only one element in the list, so you have to account for both cases:

  • Match if there is exactly one role, and it's named "Role1":
    userAttr.{http://schemas\.microsoft\.com/ws/2008/06/identity/claims/role} = 'Role1'
  • Match if there are multiple roles, and at least one of them is "Role1":
    samlMultiValAttr.{http://schemas\.microsoft\.com/ws/2008/06/identity/claims/role} = 'Role1'

My resulting expression to match if any of the roles is "Role1":

userAttr.{http://schemas\.microsoft\.com/ws/2008/06/identity/claims/role} = 'Role1' OR
samlMultiValAttr.{http://schemas\.microsoft\.com/ws/2008/06/identity/claims/role} = 'Role1'

 

tipsingh
New Member
‎03-10-2020 10:08:AM
‎03-10-2020 10:08:AM

Re: SAML Assertions in role mapping

Wow !! this worked for me. The syntax was not working but worked really well with the "\".

Also...for anyone else trying to get this thing work...you need to mention this as expression at: 

 

User> UserRealm> <XYZ Realm> Role mapping> New Rule > Custom expressions

 

 

Thanks so much for the info. 

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.