For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

THi_89722's avatar
THi_89722
Icon for Nimbostratus rankNimbostratus
Feb 24, 2015

Multi-valued SAML attributes not supported - any ideas/workarounds?

Currently APM does not support multi-valued SAML attributes (multiple same attribute instances within SAML assertion (Bug ID 400726, SOL 14570).   Consider authentication and access control based ...
BIG-IP Access Policy Manager (APM)
cloud
design
microsoft
security
r3ma_74410's avatar
r3ma_74410
Icon for Nimbostratus rankNimbostratus
Oct 05, 2015

I wrote an iRule to parse multi valued attributes from a federated SAML token and put them into one string with each element separated by a pipe:

when ACCESS_POLICY_AGENT_EVENT {
if {[ACCESS::policy agent_id] eq "di_roleParse" } { 
     Get the raw SAML Assertion
    set samlAssertion [ACCESS::session data get "session.saml.last.assertion"]
    Parse the XML and only extract the Role claim, also trim the first 76 characters so we dont keep all the attribute junk
    set roleValues [findstr $samlAssertion "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" 76 ""]
    delete all the XML attribute value openers
    regsub -all "" $roleValues "" roleValues
     replcae all the XML attribute value closers with space pipe space
    regsub -all "" $roleValues " | " roleValues
     assign to a custom variable
    ACCESS::session data set session.custom.attr.role $shortRoles
    }
}
Daniel_W__13795's avatar
Daniel_W__13795
Icon for Nimbostratus rankNimbostratus
Oct 15, 2015
Has anybody changed this iRule to do it the other way around? Search for pipes and transfer it to a multi value attribute for each entry? Would help everybody who is trying to send AD groups to SAML SP as multi value attribute. I will try that as soon as I find some time.