Forum Discussion
THi_89722
Nimbostratus
NimbostratusMulti-valued SAML attributes not supported - any ideas/workarounds?
Currently APM does not support multi-valued SAML attributes (multiple same attribute instances within SAML assertion (Bug ID 400726, SOL 14570).
Consider authentication and access control based ...
r3ma_74410Nimbostratus
NimbostratusI wrote an iRule to parse multi valued attributes from a federated SAML token and put them into one string with each element separated by a pipe:
when ACCESS_POLICY_AGENT_EVENT {
if {[ACCESS::policy agent_id] eq "di_roleParse" } {
Get the raw SAML Assertion
set samlAssertion [ACCESS::session data get "session.saml.last.assertion"]
Parse the XML and only extract the Role claim, also trim the first 76 characters so we dont keep all the attribute junk
set roleValues [findstr $samlAssertion "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" 76 ""]
delete all the XML attribute value openers
regsub -all "" $roleValues "" roleValues
replcae all the XML attribute value closers with space pipe space
regsub -all "" $roleValues " | " roleValues
assign to a custom variable
ACCESS::session data set session.custom.attr.role $shortRoles
}
}
- Daniel_W__13795Has anybody changed this iRule to do it the other way around? Search for pipes and transfer it to a multi value attribute for each entry? Would help everybody who is trying to send AD groups to SAML SP as multi value attribute. I will try that as soon as I find some time.
- r3ma_74410Yep I tried that. The parser that creates SAML tokens for F5 IdP service doesn't allow you to put XML tag characters inside attributes. It rencodes them into their URL equivilents. So when I tried to replace the pipes with 'GROUP'"GROUP' etc... it printed it into the SAML token like this: 'GROUP'<&bs;saml:AttributeValue$gt; Annoying. EDIT: Oh bloody hell, this comment box has re-encoded all my URL and XML tags. See bellow so I can use a code box. Sigh.
