Forum Discussion
AltostratusAPM- Dynamic Resource assignment based on SAML attributes
Hi Team,
Please help me to write expression( Advance resource assignment) to assign resources based on SAML attribute condition.
Access policy:
Machine cert auth --> SAML --> Endpoint check --> Advance resouce assignment
Sample user logs:
File=modules/Authentication/Saml/SamlSPAgent.cpp;Function=parseAssertion;Line=4836;Message=AttributeName: exter.extactivitycenter;"
File=modules/Authentication/Saml/SamlSPAgent.cpp;Function=parseAssertion;Line=4847;Message=ATTR_NAME: (32) exter.extactivitycenter;"
File=modules/Authentication/Saml/SamlSPAgent.cpp;Function=parseAssertion;Line=4896;Message=AttributeValue: 20034567;"
Attribute Name: exter.extactivitycenter
Attribute value: 20034567
I tried below Resource assignment expression formats (advance) in Advace resouce assignment but no luck.
1) session.saml.last.attr.name.exter.extactivitycenter== 20034567
2)expr {[mcget {session.saml.last.attr.name.exter.extactivitycenter}] == 20034567}
3)expr { [mcget {session.saml.last.attr.name.exter.extactivitycenter}] contains "20034567" }
Please guide me to use correct expression format to assign dymanic resources ( Network access profile, ACL, webtop).
Thanks,
RKram
3 Replies
Dario_GarridoNoctilucent
Hello rkram_p
Maybe with this expression:
expr {[mcget {session.saml.last.attr.name.exter.extactivitycenter}] eq "20034567"}But I would say that your syntax is valid. Please, could you check your user variables to verify that both values exist?
- session.saml.last.attr.name.exter.extactivitycenter
- 20034567
One easy way to check this is to use a message box before ending the policy evaluation. At this precise moment, check the variables to confirm that both values exist
rkram_pThank you for your suggestion.
This value we got it from user access session. (SAML response).
do you think, can we add variable agent post successful SAML response and log that variable as a custom one and use that condition in adv resource.?
-RKRam
- Dario_Garrido
You can easily do it with an iRule
https://clouddocs.f5.com/api/irules/ACCESS_POLICY_AGENT_EVENT.html
https://clouddocs.f5.com/api/irules/ACCESS__saml.html
Btw, if any of my answers was helpful, I would appreciate if you give me some thumbs up or mark the question as resolved. Thanks.
