For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ChristianH_1903's avatar
ChristianH_1903
Icon for Nimbostratus rankNimbostratus
Nov 18, 2015

Generating SAML attributes and calculations in variable assignments

Hi,

 

I'm currently setting up my f5 to act as SAML IdP. One of the attributes I need to send back is supposed to contain an opaque, privacy-preserving unique ID. I was thinking of using e.g. sha256 on an existing unique attribute like the user name and do the calculation in the access policy using a variable assignment.

 

I found the following info about sha256

 

https://devcentral.f5.com/wiki/iRules.sha256.ashx

 

But an assignment like "session.user.mytestvar = sha256 "test" seems not to work. I'm probably missing something here, can I only use this in irules?

 

Is it possible to do calculations like this in a variable assignment? Is there a better way to archive my goal?

 

application delivery
BIG-IP Access Policy Manager (APM)
saml

12 Replies

Show More
  • ChristianH_1903's avatar
    ChristianH_1903
    Icon for Nimbostratus rankNimbostratus
    Nov 19, 2015

    The problem is that the "eduPersonTargetedID" should be be different for different SPs. Just adding a prefix/suffix per SP to the value calculated from the original user attribute (email address in my case) would still allow to see that it is the same person accessing the 2 services. Ideally I would create the SHA235 value our of the email address plus an unique identifier for the SP at the time the SAML attribute is assigned to the SAML response.