For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ChristianH_1903's avatar
ChristianH_1903
Icon for Nimbostratus rankNimbostratus
Nov 18, 2015

Generating SAML attributes and calculations in variable assignments

Hi,   I'm currently setting up my f5 to act as SAML IdP. One of the attributes I need to send back is supposed to contain an opaque, privacy-preserving unique ID. I was thinking of using e.g. sha2...
application delivery
BIG-IP Access Policy Manager (APM)
saml
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 18, 2015

I'm assuming you're referring to eduPersonTargetedID. The definition uses the word "opaque", which doesn't mean encrypted. The definition does imply, however, that the value should reveal no information about the user. That rules out hex-encoding. A hash could work here, but the definition also implies that it should not rely on the username, nor necessarily change when the username changes, which a hash surely would.

It's a little vague as to how the value is actually constructed, and just Googling around I see a few different variations of formatting. Are you certain that a SHA256 hash will work here, per the InCommon specification?

As for the VPE assignment, you need a semicolon between the commands:

binary scan [mcget session.ad.last.attr.sAMAccountName] H* encstr; return $encstr