F5 APM SAML IDP setup for nameid-format persistent

Hi I would like to setup a SAML IDP session and would like to assign a nameid of type persistent.

 

I would like the nameid however to act as per strict definition of the "persistent" rule.

 

That is, as per https://wiki.shibboleth.net/confluence/display/SHIB2/IdPPersistentNameIdentifier

 

longevity = persistent reassignable to other SP's = no revokable = yes targeted = yes transparency = opaque

 

I was wondering what is the way to be able to assign the nameid in F5 to do all of the above?

 

So far if I set the IDP settings to persistent and assign an attribute to the nameid it is simply passing that attribute as the name-id and setting the nameid type as persistent. As such the nameid neither opaque nor targeted (unique) to each authorised SAML Service Provider.

 

Is there an easy way to achieve what I need to do (am I not specifying the assigned attribute variable right?)?

 

Or is an iRule actually required to generate this type of assertion value and is the logic similar to the following other systems? If so, is there existing iRule in the Code resources section that will do what I need to do? I'm pretty accustomed only to configuring this system and not much of an iRule person (but can cut and paste :))

 

http://blogs.msdn.com/b/card/archive/2010/02/17/name-identifiers-in-saml-assertions.aspx https://wiki.shibboleth.net/confluence/display/SHIB2/IdPPersistentNameIdentifier