SAML SSO send specific AD Group in Assertion

Question

We are using F5 APM as IdP and are trying to send AD Groups in our SAML assertion to the SP using the attribute session.ldap.last.attr.memberof. Some of our AD groups have special character, causing the assertion to fail as documented in https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15157.html. We don't need to send all the AD Groups to the SP, only the groups that would be related to the application we are logging into. We are trying to configure a custom variable in the APM to select specific groups. Is this possible? Could we configure a custom expression like { set memberof [mcget {session.ldap.last.attr.memberof}] contains "appname" }?

michael_jenkins · Answer

One option would be to look into the ACCESS_POLICY_AGENT event, which can be called during the login flow in the VPE. You could have the iRule parse the memberof session variable (using ACCESS::session data get and populate a new session variable ACCESS::session data set with the desired value(s), then pass that.

Forum Discussion

SAML SSO send specific AD Group in Assertion

1 Reply

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

SSO login for APM Profiles

LTM issue Openning new web browser tab

Can F5 restrict the file types transferred via FTP?

Kerberos Authentication Failing for Exchange 2016 Behind F5 Cloud WAF

SFP Port LEDs Blinking Yellow

Related Content

APM-Specific Features for Securing Your Website

Certified Kubernetes Administrator - Study Group

Intermediate iRules: Data-Groups

F5 object groups in AFM

VLAN Group and Asymmetric Deployment

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS