Forum Discussion

Teddy_A_328594's avatar
Teddy_A_328594
Icon for Nimbostratus rankNimbostratus
Jan 31, 2018

iRule to assign user id in SAML Assertion message to http header

Need help to assign user id in SAML Assertion message to http header so that Non-SAML application can be supported.

 

Deployment Scenario:- * BIG-IP as SAML SP and external IdP * PeopleSoft application - SAML not supported * Used the following iRules to map user id in SAML Assertion to http header but no value in the variable

 

when ACCESS_POLICY_COMPLETED { log local0. "ACCESS POLICY COMPLETED" set pplsftUser [ACCESS::session data get "session.saml.last.attr.name.nameid"] log local0. "PeopleSoft User $pplsftUser" HTTP::header insert "X-P" $pplsftUser log local0. "Header Inserted $pplsftUser" }

 

Need to know how to get user-id on ACCESS::session code?

 

Thanks and Best regards Teddy

 

application delivery
BIG-IP Access Policy Manager (APM)
iRules
security
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Feb 01, 2018

    In access log menu, search the APM session variable which contains the expected value.

     

    Then change the code with ACCESS_ACL_ALLOWED event!

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 01, 2018

    Hi Teddy,

    you may take a look to the iRule below...

    when ACCESS_ACL_ALLOWED {
     Removing any ocourence of user provided X-P headers (for security reasons)
    HTTP::header remove "X-P" 
     Injecting the SAML nameid value as new X-P header (for SSO purposes)
    HTTP::header insert "X-P" [ACCESS::session data get "session.saml.last.attr.name.nameid"]
     log local0.debug "Debug: Insert HTTP-Header X-P=[ACCESS::session data get "session.saml.last.attr.name.nameid"]"
}

    The iRule removes at first any user provided X-P HTTP-header instance (for security purposes) and then copies the value of the APM variable "session.saml.last.attr.name.nameid" into a new "X-P" HTTP-header.

    Cheers, Kai