Forum Discussion
Oreoluwa
Altocumulus
AltocumulusSAML SESSION VARIABLE AND ATTRIBUTES
HI, I am currently setup on my APM to use SAML single sign on with Azure as my IDP and F5 APM as my SP. I want to assign resources to authenticated users based on their groups in azure. How do i represent this in the Advanced Resource Assign expression in the Visual Policy Editor?
Please this is quite urgent.
PeteWhiteEmployee
An quick answer - find the session variable which contains the groups and add an Empty Box where the first branch uses mcget and expr
eg expr { [ mcget { session.saml.attr.groups } ] contains "Administrator" }
https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-visual-policy-editor-13-0-0/8.html
Start with this and move on from there
OreoluwaHi Pete, thanks for your reply. From the link you posted, i see that this expression was said to be useful in the variable assign block which is in the VPE of the access per request policy. Is it possible to use this same expression the per session policy for the advanced resource assign expression box? Secondly, while using this expression to specify groups, is there any where in the SP, IDP connector settings of the SAML that i have to specify this attirbute value in the expression you posted. I am asking because i have seen a box in the IDP connector settings named identity attribute location and i wouldnt know what is required in that box in the idp connector setting.
- PeteWhite
Yes, IIRC you can also use this in advanced resource assign - it is a general thing which is available in many of the VPE objects, both per-session and per-request.
Not too sure what you mean about the IdP connector, I suspect that you are talking about using multiple IdPs. For instance, if you have a different landing URI, Host etc then you can send the request to a different IdP. What are you trying to do?
CA_ValliMVP
Thanks for sharing! Solved me a similar issue. Upvoted.