Can and How F5 APM as SP map SAML multi-valued attribute to network resources like LDAP group resource assign?

Question

We knew that with ldap, we can use the following feature to assign and aggregate different network resources to different LDAP groups. 
SOL16306: AD and LDAP Group Resource Assign feature
https://support.f5.com/kb/en-us/solutions/public/16000/300/sol16306.html&nbsp;
If F5 as SP, got a SAML from an external SAML IdP with the following memberof attribute
 CN=group1,OU=TestOU,DC=test,DC=test,DC=local CN=group2,OU=TestOU,DC=test,DC=test,DC=local CN=group3,OU=TestOU,DC=test,DC=test,DC=local &nbsp;
Can F5 map each value to APM resources and aggregate these resources for the session?&nbsp;
If yes, how does F5 do it? &nbsp;

lucas_thompson_ · Answer

You can configure the access policy however you like. Any contents of any session variable can result in the assignment of any resource(s) and/or any ACL(s) or execution of any logic you want.&nbsp;
APM as SP will transform a multi-valued attribute contained in a SAML assertion from an IdP to a single session variable with the attribute name, and delimited by a pipe "|" symbol. This multi-valued feature was introduced first in BIG-IP APM v12.0.&nbsp;
To see this, simply configure it and then use the session variable viewer in the GUI or sessiondump command in the CLI.&nbsp;

Forum Discussion

Can and How F5 APM as SP map SAML multi-valued attribute to network resources like LDAP group resource assign?

1 Reply

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

2026 301a exam

F5OS login with admin/root failed via console

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

UCS Encryption Question

Unblock Request WAF

Related Content

DevCentral Resources

F5 Resources for COVID-19

BIG-IP Terraform Resources

Add SameSite attribute to APM Cookies

Lightboard Lessons: HTTP Cookie SameSite Attribute

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS