How do you filter a SAML Attribute

Question

We currently use the memberOf %{session.ad.last.attr.memberOf} attribute.
Is there a way to filter its so we only send a single attribute for CN=ABC Users?
We cannot specify this in the Access Policy because we have different IDP's and SP's using the same Policy.&nbsp;

drpsyche_375519 · Answer

Hello,&nbsp;
I was looking for a documented way to send a subset of user groups in a SAML response. And here's what I found - https://communities.ca.com/thread/241696397view SAML assertions. Perhaps, you could find some helpful ideas here too.&nbsp;

juraj · Answer

Just a quick thought from top of my head - you can write an iRule to extract the data you need, and store it in the session:
when ACCESS_ACL_ALLOWED {

set ad_memberOf [ACCESS::session data get "session.ad.last.attr.memberOf"]

ACCESS::session data set "session.custom.memberOfABC" [string match "*CN=ABC Users*" $ad_memberOf]
}

Then, you can return it in your SAML assertion via %{session.custom.memberOfABC}, which will contain either 0 or 1, depending on whether the user is a member of CN=ABC Users

Forum Discussion

How do you filter a SAML Attribute

2 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Illegal Metacharacter in Parameter Name in Json Data

Cisco TACACS+ Config on ISE LTM Pair

AS3 declaration to set cookie to preferred

SSL Bridging and FQDN rewrite Policy

Checking for X-Forwarded-For against an Address Data-Group

Related Content

Multiple value seperator in saml Attribute

SAML attributes

Add SameSite attribute to APM Cookies

Lightboard Lessons: HTTP Cookie SameSite Attribute

SAML SLO NameQualifier and SPNameQualifier attributes missing

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS