Granting access to a SAML Resource depending on membership in AD group

I have users that need access to a SAML resource if they are only in a certain AD group. The problem is I have a common IdP that's used with other SP services. If I can determine which saml resource is targeted I can make the solution work but I have only come close to one variable uuid. I'm not sure if this variable is the one to use. Also if I don't have a SAML resource on the webtop I get a connection reset (no error details to the browser).

 

I think I have to do an irule on this one but I don't have the information I need> Already check the logs and report nothing jumping out to make a sound irule logic. Ideas?

 

Ultimately I would like to do this ....

 

Box.Net (SP) -> Our (IdP) -> APM/IRule ->

 

when ACCESS_POLICY_AGENT_EVENT set variable $allowtogotobox 0 if {saml_resource == "saml_res=box"} if { session.ad.last.attr.memberOf contains box } set variable $allowtogotobox 1 else (this would be optional I can do this in the irule or APM) redirect to well defined error page (with appropiate message)

 

Thanks