For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ChristianH_1903's avatar
ChristianH_1903
Icon for Nimbostratus rankNimbostratus
Nov 18, 2015

Generating SAML attributes and calculations in variable assignments

Hi,   I'm currently setting up my f5 to act as SAML IdP. One of the attributes I need to send back is supposed to contain an opaque, privacy-preserving unique ID. I was thinking of using e.g. sha2...
application delivery
BIG-IP Access Policy Manager (APM)
saml
ChristianH_1903's avatar
ChristianH_1903
Icon for Nimbostratus rankNimbostratus
Nov 19, 2015

The problem is that the "eduPersonTargetedID" should be be different for different SPs. Just adding a prefix/suffix per SP to the value calculated from the original user attribute (email address in my case) would still allow to see that it is the same person accessing the 2 services. Ideally I would create the SHA235 value our of the email address plus an unique identifier for the SP at the time the SAML attribute is assigned to the SAML response.