cancel
Showing results for 
Search instead for 
Did you mean: 

APM- Dynamic Resource assignment based on SAML attributes

rkram_p
Nimbostratus
Nimbostratus

Hi Team,

Please help me to write expression( Advance resource assignment) to assign resources based on SAML attribute condition.

Access policy:

Machine cert auth --> SAML --> Endpoint check --> Advance resouce assignment 

 

Sample user logs:

File=modules/Authentication/Saml/SamlSPAgent.cpp;Function=parseAssertion;Line=4836;Message=AttributeName: exter.extactivitycenter;"
File=modules/Authentication/Saml/SamlSPAgent.cpp;Function=parseAssertion;Line=4847;Message=ATTR_NAME: (32) exter.extactivitycenter;"
File=modules/Authentication/Saml/SamlSPAgent.cpp;Function=parseAssertion;Line=4896;Message=AttributeValue: 20034567;"

Attribute Name: exter.extactivitycenter

Attribute value: 20034567

 

I tried below Resource assignment expression formats (advance) in Advace resouce assignment but no luck.

1) session.saml.last.attr.name.exter.extactivitycenter== 20034567
2)expr {[mcget {session.saml.last.attr.name.exter.extactivitycenter}] == 20034567}
3)expr { [mcget {session.saml.last.attr.name.exter.extactivitycenter}] contains "20034567" }

Please guide me to use correct expression format to assign dymanic resources ( Network access profile, ACL, webtop).

Thanks,

RKram

3 REPLIES 3

Hello rkram_p

Maybe with this expression:

expr {[mcget {session.saml.last.attr.name.exter.extactivitycenter}] eq "20034567"}

But I would say that your syntax is valid. Please, could you check your user variables to verify that both values exist?

  • session.saml.last.attr.name.exter.extactivitycenter
  • 20034567

One easy way to check this is to use a message box before ending the policy evaluation. At this precise moment, check the variables to confirm that both values exist

 

Regards,
Dario.

rkram_p
Nimbostratus
Nimbostratus

Thank you for your suggestion.

This value we got it from user access session. (SAML response).

do you think, can we add variable agent post successful SAML response and log that variable as a custom one and use that condition in adv resource.?

 

-RKRam

You can easily do it with an iRule

https://clouddocs.f5.com/api/irules/ACCESS_POLICY_AGENT_EVENT.html

https://clouddocs.f5.com/api/irules/ACCESS__saml.html

Btw, if any of my answers was helpful, I would appreciate if you give me some thumbs up or mark the question as resolved. Thanks. 

 

Regards,
Dario.