We would like to create an authorization policy to limit access to a SAML2 resource if the user is a member of an AD group. Our primary data source is eDir so we created an additional data source for AD and a virtual attribute called adGroupMembership
mapping the memberOf
attribute in AD. We've tried the following in NAM 5.0.4.0 to determine if the user is a member of AD group "cn=AD Group,
..."
However, even though the test user is a member of this group, NAM fails with an authorization error.
Any guidance on where our error is with the above condition? Is there a way to debug condition groups? There is a test button for virtual attributes but I do not see anything similar for condition groups.
Lastly, if the authorization fails, is there a way to display a web page explaining the failure to the user?