For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Doug_129661's avatar
Doug_129661
Icon for Nimbostratus rankNimbostratus
Sep 04, 2013

Manipulate SAML assertion data

I am new to F5 technology so I am not sure if this is areasonable question or not.   I wondered if it is possible to collect all the SAML data from the ID provider and then post that XML data to ...
application delivery
design
devops
iRules
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Sep 05, 2013

I've had a chance to look at it, and the decoded assertion is stored in the session.saml.last.assertion session variable. So to go back to question 1, can this value be sent as an HTTP header (the easiest method), or is the application expecting an assertion POST?

If the former, then something like this might work:

when ACCESS_ACL_ALLOWED {
    if { [ACCESS::session data get session.saml.last.sent] == "" } {
        ACCESS::session data set session.saml.last.sent 1
        HTTP::header insert ASSERTION [b64encode [ACCESS::session data get session.saml.last.assertion]]
    }
}

This sends the base64-encoded assertion as an HTTP header ("ASSERTION") in the FIRST request to the server.