For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Squeak_117117's avatar
Squeak_117117
Icon for Nimbostratus rankNimbostratus
May 02, 2019

Map SAML variable value to a specific user attribute.

Hello,   I´m currently working on a setup that the users have to authenticate with external SAML IDP to access a webtop with some Portal access resources.   The problem I´m facing are that I h...
application delivery
BIG-IP Access Policy Manager (APM)
Niels_van_Sluis's avatar
Niels_van_Sluis
Icon for MVP rankMVP
May 02, 2019

Not sure if this is an answer to your question, but with the Variable Assign agent you will fill the 

session.logon.last.username
session variable with the content of a 
session.saml
session variable, for example 
session.saml.last.identity
. Then you will use the AD Query agent to perform an AD query like 
(sAMAccountName=%{session.logon.last.username})
and fetch the AD attributes you need for this user.

It could also be that the IDP sends the e-mail address of the user, and you'll need to do a query on the AD using the e-mail address, to resolve the SAMAccountName. Either way you'll need some unique identifier that the IDP passes as an SAML attribute that helps you identify the user in your AD.