How To: Send Centrify Roles inside a SAML Assertion

How To: Send Centrify Roles inside a SAML Assertion

By Centrify Advisor I ‎12-05-2017 12:41 PM


Every now and then, this situation presents itself infront of me:  


-Is it possible for me to send one or more roles as a SAML attribute, inside of a SAML Assertion?


The answer to this question is yes, and here's how you do it:


  • Sending One Role:
    • Sending one role is much simpler than sending multiple roles.  It doesn't require an array, or any of that fancy stuff.  It requires one line of code:
      • setAttribute(‘role’ , “rolename”);   In this example, 'role' is the name of the SAML attribute, and 'rolename' is well, the name of the role in question.  Here's an example of a working piece of code, as well as a SAML assertion:
        setAttribute(‘role’ , “IT_Admins”);
        <Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
  • Sending Multiple Roles:
    • Sending multiple roles, is a bit more involved.  It does call for the above mentioned 'fancy stuff' such as an array.  In requires a few more lines of code, which I'll explain:
      // Create a variable for the current logged in user's role names
      var roleNames = LoginUser.RoleNames;
      // Create an empty array 
      var attrArray = [];
      //Find all roles containing "admin"
      for (var i=0; i < roleNames.Length; i++){
          if (roleNames[i].indexOf("Admin") != -1){
          var v = roleNames[i];
      //Push roles containing "admin" into the empty array    
          trace("Role containing 'Admin' for this user: " + v);
      //Set the array to role, with the values inside attrArray
      setAttributeArray('role', attrArray);
    • Right, so I've made this a little bit easier to explain here.  I've included comments (everything after //) that explains the logic of the above code.  Everything highlighted in red are the values that you, reader, might have to modify.  Starting from top to bottom:
      •  if (roleNames[i].indexOf("Admin") != -1)
        • This line of code simply checks all of the users roles, to see if they contain the string "admin".  Feel free to modify this to whatever you'd like.  Chances are if you're sending multiple roles to a SAML app, they should contain similar names.  Such as O365E1, O365E etc.  In this scenario, you could use 'O365' as your string. 
      • trace("Role containing 'admin' for this user: " + v);
        • This line of code simply gives you an output of which roles the user has, that matches your string.
      • setAttributeArray('role', attrArray);
        • As above, 'role' is the name of the attribute, attrArray is the value.  Feel free to change the former, but do not change the latter.
      • Here's an example of a SAML Assertion output:
        <Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
             <AttributeValue>System Administrator</AttributeValue>
      • Here's the trace output:
        Role containing 'admin' for this user: SAML_Admin
        Role containing 'admin' for this user: IT_Admin
        Role containing 'admin' for this user: System Administrator


I hope you found this article is helpful, and as always if you have any questions- comment below.




Showing results for 
Search instead for 
Do you mean 

Community Control Panel