Forum Discussion

NetSnoopy's avatar
NetSnoopy
Icon for Cirrus rankCirrus
Apr 12, 2017

Hello,

i found my mistake and now it's working. Here is the working iRule

when ACCESS_ACL_ALLOWED {
     set hamacsha256 secret
    set secret_key "secret"
     get date from Saml Session
    set user [ACCESS::session data get session.saml.last.nameIDValue]
    set sub [ACCESS::session data get session.saml.last.attr.name.http://xxxx.de/EmployeeID]
    set nbf [ACCESS::session data get session.saml.last.validityNotBefore]
    set exp [ACCESS::session data get session.saml.last.validityNotOnOrAfter]
    set email [ACCESS::session data get session.saml.last.attr.name.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress]
    set surname [ACCESS::session data get session.saml./Common/kosmos-uat_APM_Test_act_saml_auth_ag.attr.name.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname]
    set givenname [ACCESS::session data get session.saml./Common/kosmos-uat_APM_Test_act_saml_auth_ag.attr.name.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname]
    set aud [ACCESS::session data get session.saml.last.assertionIssuer]
    set gpid [ACCESS::session data get session.saml.last.attr.name.http://xxxx.de/xxxx-User-GPID]
    generate JWT
    set jwt_header "[b64encode "{\r\n \"alg\": \"HS256\", \r\n \"typ\": \"JWT\"\r\n}"]"
    set jwt_payload "[b64encode "{\r\n \"user\": \"$user\",\r\n \"sub\": \"$sub\",\r\n \"nbf\": \"$nbf\",\r\n \"exp\": \"$exp\",\r\n \"email\": \"$email\",\r\n \"surname\": \"$surname\",\r\n \"givenname\": \"$givenname\",\r\n \"aud\": \"$aud\",\r\n \"gpid\": \"$gpid\"\r\n}"]"
    set jwt_data "$jwt_header.$jwt_payload"
    set jwt_sig "[b64encode [CRYPTO::sign -alg hmac-sha256 -key $secret_key $jwt_data]]"
    set jwt "$jwt_header.$jwt_payload.$jwt_sig"
    log local0. "JWT $jwt"
}

when HTTP_REQUEST {
    if { [info exists jwt] }{
    HTTP::header insert Authorization "Bearer $jwt"
    }
}

In this case the JWT will only send to Server but not to Client. If you want this also to Client and the follow lines

when HTTP_RESPONSE {
    if { [info exists jwt] }{
    HTTP::header insert Authorization "Bearer $jwt"
    }
}

I hope I can help someone with this example.

Cheers, NetSnoopy