Forum Discussion
hpr
Altostratus
AltostratusHowto extract SAML NameID from AuthnRequest
Hi Gurus, I'm about to implement a SP-initiated SAML connection to our BigIP APM, set up as IdP, currently v15.1.2, eagerly awaiting some bug resolutions for the upgrade to 16.1. I want to su...
Belanger__YvesAltostratus
AltostratusHi,
It is possible to extract the SAML authentication request passed in the GET query string. You need to inflate with an iRule LX. Like this :
https://devcentral.f5.com/s/feed/0D51T00007HPLCVSA5
# For a GET
set ilx_handle [ILX::init "Saml-plugin" "Saml-ext"]
# Try to base64 decode http query. Handle errors using catch.
# Successful execution of b64decode by catch will return 0 and the output will be written to $SAMLdata
if {[catch {ILX::call $ilx_handle "inflate_b64" $requeteSAML} SAMLdata] == 0 and $SAMLdata ne ""}{
# base64 decoding succeeded
log local0. "SAML query string decoding succeeded : \[IP::client_addr\]: [IP::client_addr] \[SAMLdata\]: $SAMLdata"
} else {
# base64 decoding failed
log local0. "SAML query string decoding failed"
}
if {$SAMLdata ne ""}{
set SAML_Issuer_loc [string first "issuer" [string tolower $SAMLdata]]
set SAML_Issuer_start [expr {[string first ">" $SAMLdata $SAML_Issuer_loc] + 1}]
set SAML_Issuer_end [expr {[string first "<" $SAMLdata $SAML_Issuer_start] - 1}]
set SAML_Issuer [string range $SAMLdata $SAML_Issuer_start $SAML_Issuer_end]
log local0. "DEBUG SAML GET - issuer extracting : \[IP::client_addr\]: [IP::client_addr] \[HTTP::method\]: $methode \[PATH\]: $path \[SAML_Issuer\]: $SAML_Issuer"
}
For the authn request with a POST, you can do it like this :
https://devcentral.f5.com/s/articles/apm-saml-idp-sp-issuer-extraction
Yves