Forum Discussion

Evgeny_Udaltsov's avatar
Icon for Nimbostratus rankNimbostratus
Nov 16, 2022

f5 BIG IP APM Show where a SAML Request from

Hi Team, i try to find a solution to figure out a way where the SAML Request from. Is it possible? The memberOf attribute needs to be changed, depending on the origins of the request.

3 Replies

  • Hi,

    To break down what i think you've said for clarity.
    So memberOf is a AD attriubute, this isn't connected to SAML at all.

    But what you can do, is on APM auth, you do your AD Auth, then AD Query.
    From there you can either take the whole memberOf Parameter and put it into the saml responce to your SP.
    Or write something in your APM policy that looks at the memberOf output and builds a variable with what ever you need into it, then put that into your SAML token to your SP.
    I've done both dependant on what the application needs and how flexiable it can be.

    The power for this is all inside your APM policy.

  • Hi,

    The SAML request should show the tag "<Issuer />", that might tell you the name of the SP (where it comes from).


  • Expanding this answer, you can follow different policy branches for different SPs of SAML authentication requests, but you can't use "issuer" like that directly. This is covered by F5 enhancement request ID 960161 (currently not on roadmap).

    A workaround to this issue is listed here:

    What you'd do here is choose different queries or alter your memberOf depending on the branch taken.