How can an Administrator filter Active Directory groups for a SAML application to only show a specific group in the attribute?
When creating a custom SAML application, an Administrator can filter the results for groups that are returned when using the setFilteredAttributeArray attribute.
Use a Regex expression as outlined here: https://technet.microsoft.com/en-us/library/hh440535(v=sc.12).aspx
(Link provided as a courtesy and subject to change)
In order to have a SAML assertion return the Active Directory group value "ExampleSecurityGroup" in an attribute, an Administrator would add the following value to the Advanced section of the SAML application.
setFilteredAttributeArray('Groups', LoginUser.GroupNames, "ExampleSecurityGroup");
If the user is a member of this Security Group that contains this name, then the value 'ExampleSecurityGroup' will be passed in the assertion as an attribute value called "Groups".
To match the EXACT value for "ExampleSecurityGroup" use the following Regex expression:
setFilteredAttributeArray('Groups', LoginUser.GroupNames, "^ExampleSecurityGroup$");
NOTE: If the value is NOT present, a null value is passed in the Assertion for the 'Groups' variable