Saml token convert to jwt

Hello,

I create a iRule for convert saml token to JWT (json web token). It works well but I get a signatur error. I try many option and formats. But nothing works. I'm shure you can help me easily.

I have creat a working access Profile with saml. Bigip is SP and an external IdP. Here my iRule.

when ACCESS_ACL_ALLOWED {
        set hamacsha256 secret
       set secret_key "secret"

        get data from saml Session (APM->Manage Sessions-> Variables -> View)
       set user [ACCESS::session data get session.saml.last.nameIDValue]
       set sub [ACCESS::session data get session.saml.last.attr.name./EmployeeID]
       set nbf [ACCESS::session data get session.saml.last.validityNotBefore]
       set exp [ACCESS::session data get session.saml.last.validityNotOnOrAfter]
       set email [ACCESS::session data get session.saml.last.attr.name./identity/claims/emailaddress]
       set surname [ACCESS::session data get session.saml./Common/xyz_auth_ag.attr.name./identity/claims/surname]
       set givenname [ACCESS::session data get session.saml./Common/xyz_auth_ag.attr.name./identity/claims/givenname]
       set aud [ACCESS::session data get session.saml.last.assertionIssuer]
       set gpid [ACCESS::session data get session.saml.last.attr.name./GPID]

        Name of the cookie
       set cookie_name "xyz-JWT"

        set cookie header
       set cookie_header "[b64encode "{\r\n \"alg\": \"HS256\", \r\n \"typ\": \"JWT\"\r\n}"]"

        set cookie payload
       set cookie_payload "[b64encode "{\r\n \"user\": \"$user\",\r\n \"sub\": \"$sub\",\r\n \"nbf\": \"$nbf\",\r\n \"exp\": \"$exp\",\r\n \"email\": \"$email\",\r\n \"surname\": \"$surname\",\r\n \"givenname\": \"$givenname\",\r\n \"aud\": \"$aud\",\r\n \"gpid\": \"$gpid\"\r\n}"]"

       set cookie data for signatur
       set cookie_data [concat "[b64encode [URI::encode $cookie_header]].[b64encode [URI::encode $cookie_payload]]"]
        test some other version
       set cookie_data "[URI::encode [b64encode $cookie_header]]\".\"[URI::encode [b64encode $cookie_payload]]"
       set cookie_data "[URI::encode $cookie_header]\".\"[URI::encode $cookie_payload]]"
       set cookie_data $cookie_header"."$cookie_payload
       log local0. "cookie_data $cookie_data"

       create signatur
       set cookie_sig "[CRYPTO::sign -alg hmac-sha256 -key $secret_key $cookie_data]"
       convert signatur in some version
       set cookie_sig_b64 "[b64encode $cookie_sig]"
       set cookie_sig_b64_url "[URI::encode $cookie_sig_b64]"
       set cookie_sig_url_b64 "[b64encode $cookie_sig_url]"
       log local0. "sig_b64= $cookie_sig_b64"
       log local0. "sig_b64_url= $cookie_sig_b64_url"
       log local0. "sig_url_b64= $cookie_sig_url_b64" 

       verify signatur
       if { [CRYPTO::verify -alg hmac-sha256 -key $secret_key -signature $cookie_sig $cookie_data] } {
           log local0. "Data verified"
       }

       create full JWT
       set cookie "$cookie_header.$cookie_payload.$cookie_sig_url_b64"
       HTTP::cookie insert name $cookie_name value $cookie
       log local0. "$cookie_name $cookie"
    }

    send to client
    when HTTP_RESPONSE {
        HTTP::cookie insert name $cookie_name value $cookie
        }

If I verify the cookie with jwt.io (webseite). I get alway a signatur error. All other works. The json notation for signatur is

HMACSHA256(
      base64UrlEncode(header) + "." +
      base64UrlEncode(payload),
      secret
    ) secret base64 encoded

I think I have a mistake in format for cookie_data. In the version you can see some of my tests. How can help me?

Cheers, NetSnoopy