For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ChristianH_1903's avatar
ChristianH_1903
Icon for Nimbostratus rankNimbostratus
Nov 18, 2015

Generating SAML attributes and calculations in variable assignments

Hi,   I'm currently setting up my f5 to act as SAML IdP. One of the attributes I need to send back is supposed to contain an opaque, privacy-preserving unique ID. I was thinking of using e.g. sha2...
application delivery
BIG-IP Access Policy Manager (APM)
saml
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 18, 2015

Do this:

  1. Add an iRule event agent to the visual policy.

  2. Add an iRule to the VIP:

    when ACCESS_POLICY_AGENT_EVENT {
    ACCESS::session data set "session.user.MyPersistentNameID" [b64encode [sha256 [ACCESS::session data get "session.ad.last.attr.mail"]]]
}

sha256 is going to produce a binary value, probably not exactly what you want, so base64-encoding that makes it at least portable. You could also actually hex-encode the sha256 output to produce a slightly more palatable hexadecimal product:

binary scan [sha256 [ACCESS::session data get "session.ad.last.attr.mail"]] H* encstr
ACCESS::session data set "session.user.MyPersistentNameID" $encstr