Forum Discussion
NimbostratusAPM SAML group attribute
Hi, I am trying to match on Azure AD group attribute in the APM access policy but i don't get it to work, the APM is acting as SAML SP.
I'm getting the attribute in the access reports -> variables and I can also print it out using an irule so just wondering
if someone has a clue to how I should construct the expression to work in the access policy ?
The current Expression in the access policy looks like this: (not working)
expr { [ mcget { session.saml.last.attr.name.http://schemas.microsoft.com/ws/2008/06/identity/claims/groups } ] equals "<group-id-string>" }
The irule looks like this:
when HTTP_REQUEST {
set username [ACCESS::session data get "session.saml.last.identity"]
set group [ACCESS::session data get "session.saml.last.attr.name.http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"]
log local0. "User: $username Group: $group"
}
Thanks
2 Replies
Just tested something similar and you expression seems right. I didn't receive a group attribute, so I tested with another attribute.
Here is the Empty Agent I created:
SpiderHi again, thanks for the response. I got this to work now, seems to have been a matter of whitespace, this works now using the expression:
expr {[mcget {session.saml.last.attr.name.http://schemas.microsoft.com/ws/ 2008/06/identity/claims/groups}] equals "<group-id-number>"}
I'm using the same structure as you are now, that seems to do the trick. :)
