Forum Discussion
PShakunthala
Nimbostratus
NimbostratusGrant access to users from F5 APM based on okta user group
Hi Engineers,
We are planning to migrate to F5 APM for remote access solution from pulse VPN. We have integrated F5 APM with okta for SSO and its working as per the plan. But We are unable to grant access to specified user group.
In other VPN solution like Pulse and Fortinet or Palo we can directly call okta user group and assign ACL to respective group. But I am unable to do the same with F5 APM.
Scenario:
Okta has 2 groups, one is Engineering and other is Support.
Engineering group should be able to Access Network A and support group should be able to access Network B.
We don't want to create access profile for each group. It should be one access profile and based on okta group that user is part , he/she should be able to access the network.
My current policy looks like this.
spalandeNacreous
Have you tried using LDAP qurey feature that will query the LDAP server to get the group assignment and then based on that you can create different network access profiles using separate VPN pool.
PShakunthalaThanks spalande For your response. I was able to solve the problem by adding an expression in advanced resource assign tab.
expr {[mcget {session.saml.last.attr.name.http://schemas.microsoft.com/ws/2008/06/identity/claims/groups}]
contains "Õe66c3bf-e0ee-40d4-9649-2534647f2378"}