For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Samuel_Rydén's avatar
Samuel_Rydén
Icon for Altocumulus rankAltocumulus
Dec 08, 2022

tcl logic in SAML Attribute value field possible?

Hi. We're running BigIP as a SAML IDP. Can I somehow issue tcl logic in a SAML attributes? I'm talking about the Access ›› Federation : SAML Identity Provider : Local IdP Services, editing an obje...
event
federation
idp
irule
saml
security
tcl
JoshBecigneul's avatar
JoshBecigneul
Icon for MVP rankMVP
Dec 08, 2022

I would probably suggest using the Empty Agent's branch matching capabilities inside of a macro to set the attribute based on group matching like that. It is pretty capable for that feature.

Something like this:

 

Samuel_Rydén's avatar
Samuel_Rydén
Icon for Altocumulus rankAltocumulus
Dec 14, 2022

Thank you for your inquiry.

Your solution would work.

However, it's not a route I want to take, our VPE is already cluttered enough, with ten or so fairly complex macros. I'm trying to keep it as general as I possibly can, and put the complexity in either iRules or - as I really wanted to do this time - in the actual SAML attribute value.
If I can't have it my way, I'm still undecided whether I'll go the iRule route or the VPE route.

I'll keep you guys posted. 🙂

  • ja1931's avatar
    ja1931
    Icon for Nimbostratus rankNimbostratus
    Oct 24, 2025

    Did you end up figuring out a solution? I am also in the same boat. Empty branch rules dont work for me because I might have someone that has belongs to two of the groups and needs to access both. An irule would just clutter everyone with a ton of variables. Being able to assign a default in the saml variable value field would be awesome.