Forum Discussion
Granting access to a SAML Resource depending on membership in AD group
I have users that need access to a SAML resource if they are only in a certain AD group. The problem is I have a common IdP that's used with other SP services. If I can determine which saml resource is targeted I can make the solution work but I have only come close to one variable uuid. I'm not sure if this variable is the one to use. Also if I don't have a SAML resource on the webtop I get a connection reset (no error details to the browser).
I think I have to do an irule on this one but I don't have the information I need> Already check the logs and report nothing jumping out to make a sound irule logic. Ideas?
Ultimately I would like to do this ....
Box.Net (SP) -> Our (IdP) -> APM/IRule ->
when ACCESS_POLICY_AGENT_EVENT set variable $allowtogotobox 0 if {saml_resource == "saml_res=box"} if { session.ad.last.attr.memberOf contains box } set variable $allowtogotobox 1 else (this would be optional I can do this in the irule or APM) redirect to well defined error page (with appropiate message)
Thanks
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com