Forum Discussion

RandyTittleman's avatar
RandyTittleman
Icon for Altostratus rankAltostratus
Jul 16, 2019

iRule to Convert SAML Assertion To Header Based for Autorization

I'm hoping the community can help me out. I am new to F5 BIG-IP APM and iRules and I hope I make sense. Here is my scenario.

 

We have acquired Centrify for SSO authentication. However, we have a couple of legacy applications that do not support SAML. Those applications are now behind APM where APM is the SP and Centrify is the IdP. There is a particular application that in addition to authentication, it requires to authorize a use to access a particular resource.

 

The flow is as follows:

 

  1. Client accesses application via URL on their web browser
  2. my.policy redirects user to IdP for authentication via APM
  3. IdP checks AD and then sends SAML assertion back to APM
  4. APM redirects user back to the application authenticated.

 

In step 3, AD passes an AD attribute to the IdP to include in the SAML assertion. What we want is to extract that AD attribute from the SAML assertion and pass it to the application as an HTTP header so the application can consume it and authorize the user to access that particular resource. We believe we can accomplish this via iRule, but not sure on the syntax. Any help would be appreciated.

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jul 16, 2019

    You can do it by assigning sso profile (like Kerberos which is passwordless) to access profile

     

    if you want to add headers, create a per-request policy which insert http header on each request, then assign this policy to vs

  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Jul 16, 2019

    According to the APM manual you should be able to access the SAML assertions through the session variables. See below.

     

    Access Policy Manager as a SAML Service Provider (SP)

    When you use APM as a SAML service provider, APM consumes SAML assertions (claims) and validates their trustworthiness. After successfully verifying the assertion, APM creates session variables from the assertion contents. In an access policy, you can use these session variables to finely control access to resources and to determine which ACLs to assign. Based on the values of session variables, you can create multiple branches in the policy, assigning different resources and different ACLs on each branch. When it runs, the access policy follows a branch depending on the values of session variables.

     

    Then you could use the following code snippet, to add the SAML assertions to the cookie use set the HTTP header.

     

    https://devcentral.f5.com/s/articles/insert-header-for-apm-policy