Forum Discussion
Squeak
Cirrus
CirrusIrule to match two APM variables
I need some help with an Irule that should have this logic,
The attribute "samlattr" must match the value "employeeID" if there are a match the VPE should continue. If there are no match, the session should be terminated.
The variable "session.saml.last.attr.name.xyz" originates from a external IDP.
The variable "session.ldap.last.attr.employeeID" are a local AD attribute.
I´ve created this Irule, but it dosen´t seems to be working.
when ACCESS_POLICY_AGENT_EVENT {
set samlattr [ACCESS::session data get "session.saml.last.attr.name.xyz"]
set employeeID [ACCESS::session data get "session.ldap.last.attr.employeeID"]
if { [ class match $samlattr eq $employeeID] } {
} else {
discard
}
}
Any takes?
youssef1Cumulonimbus
Hi,
You don't need an Irule for this need instead using an Irule event.
I advise you to use APM (Empty box)
1- create an empty box
2- Add a branch rules
3 create an advanced expression
And enjoy.
Squeak
I tried your solution and most of it worked but if the variable "session.ldap.last.attr.employeeID" are empty the session continues to the next block. The logic should be, if the variable "session.ldap.last.attr.employeeID" matches "session.saml.last.attr.name.xyz" everything are okay but if they don´t match or the variable are empty the APM should discard the session.
Hi Squeak,
Can you test this?
when ACCESS_POLICY_AGENT_EVENT { set samlattr [ACCESS::session data get "session.saml.last.attr.name.xyz"] set employeeID [ACCESS::session data get "session.ldap.last.attr.employeeID"] if { $samlattr ne $employeeID } { discard } }
