Forum Discussion

Nimbostratus

Feb 24, 2015

Multi-valued SAML attributes not supported - any ideas/workarounds?

Currently APM does not support multi-valued SAML attributes (multiple same attribute instances within SAML assertion (Bug ID 400726, SOL 14570). Consider authentication and access control based ...

BIG-IP Access Policy Manager (APM)

Nimbostratus

Oct 05, 2015

I wrote an iRule to parse multi valued attributes from a federated SAML token and put them into one string with each element separated by a pipe:

when ACCESS_POLICY_AGENT_EVENT {
if {[ACCESS::policy agent_id] eq "di_roleParse" } { 
     Get the raw SAML Assertion
    set samlAssertion [ACCESS::session data get "session.saml.last.assertion"]
    Parse the XML and only extract the Role claim, also trim the first 76 characters so we dont keep all the attribute junk
    set roleValues [findstr $samlAssertion "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" 76 ""]
    delete all the XML attribute value openers
    regsub -all "" $roleValues "" roleValues
     replcae all the XML attribute value closers with space pipe space
    regsub -all "" $roleValues " | " roleValues
     assign to a custom variable
    ACCESS::session data set session.custom.attr.role $shortRoles
    }
}

r3ma_74410

Nimbostratus

Oct 16, 2015

Yep I tried that. The parser that creates SAML tokens for F5 IdP service doesn't allow you to put XML tag characters inside attributes. It rencodes them into their URL equivilents. So when I tried to replace the pipes with 'GROUP'"GROUP' etc... it printed it into the SAML token like this: 'GROUP'<&bs;saml:AttributeValue$gt; Annoying. EDIT: Oh bloody hell, this comment box has re-encoded all my URL and XML tags. See bellow so I can use a code box. Sigh.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)