Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

APM- Dynamic Resource assignment based on SAML attributes

rkram_p
Altostratus
Altostratus

‎21-Apr-2022 08:34

Hi Team,

Please help me to write expression( Advance resource assignment) to assign resources based on SAML attribute condition.

Access policy:

Machine cert auth --> SAML --> Endpoint check --> Advance resouce assignment 

 

Sample user logs:

File=modules/Authentication/Saml/SamlSPAgent.cpp;Function=parseAssertion;Line=4836;Message=AttributeName: exter.extactivitycenter;"
File=modules/Authentication/Saml/SamlSPAgent.cpp;Function=parseAssertion;Line=4847;Message=ATTR_NAME: (32) exter.extactivitycenter;"
File=modules/Authentication/Saml/SamlSPAgent.cpp;Function=parseAssertion;Line=4896;Message=AttributeValue: 20034567;"

Attribute Name: exter.extactivitycenter

Attribute value: 20034567

 

I tried below Resource assignment expression formats (advance) in Advace resouce assignment but no luck.

1) session.saml.last.attr.name.exter.extactivitycenter== 20034567
2)expr {[mcget {session.saml.last.attr.name.exter.extactivitycenter}] == 20034567}
3)expr { [mcget {session.saml.last.attr.name.exter.extactivitycenter}] contains "20034567" }

Please guide me to use correct expression format to assign dymanic resources ( Network access profile, ACL, webtop).

Thanks,

RKram

Labels:
0 Kudos
3 REPLIES 3

Dario_Garrido
MVP
MVP

‎21-Apr-2022 09:43

Hello rkram_p

Maybe with this expression:

expr {[mcget {session.saml.last.attr.name.exter.extactivitycenter}] eq "20034567"}

But I would say that your syntax is valid. Please, could you check your user variables to verify that both values exist?

  • session.saml.last.attr.name.exter.extactivitycenter
  • 20034567

One easy way to check this is to use a message box before ending the policy evaluation. At this precise moment, check the variables to confirm that both values exist

 

Regards,
Dario.
0 Kudos

rkram_p
Altostratus
Altostratus

‎11-May-2022 01:15

Thank you for your suggestion.

This value we got it from user access session. (SAML response).

do you think, can we add variable agent post successful SAML response and log that variable as a custom one and use that condition in adv resource.?

 

-RKRam

0 Kudos

Dario_Garrido
MVP
MVP
In response to rkram_p

‎11-May-2022 23:46

You can easily do it with an iRule

https://clouddocs.f5.com/api/irules/ACCESS_POLICY_AGENT_EVENT.html

https://clouddocs.f5.com/api/irules/ACCESS__saml.html

Btw, if any of my answers was helpful, I would appreciate if you give me some thumbs up or mark the question as resolved. Thanks. 

 

Regards,
Dario.
0 Kudos
Copyright © 2023 Khoros, LLC