21-Apr-2022 08:34
Hi Team,
Please help me to write expression( Advance resource assignment) to assign resources based on SAML attribute condition.
Access policy:
Machine cert auth --> SAML --> Endpoint check --> Advance resouce assignment
Sample user logs:
File=modules/Authentication/Saml/SamlSPAgent.cpp;Function=parseAssertion;Line=4836;Message=AttributeName: exter.extactivitycenter;"
File=modules/Authentication/Saml/SamlSPAgent.cpp;Function=parseAssertion;Line=4847;Message=ATTR_NAME: (32) exter.extactivitycenter;"
File=modules/Authentication/Saml/SamlSPAgent.cpp;Function=parseAssertion;Line=4896;Message=AttributeValue: 20034567;"
Attribute Name: exter.extactivitycenter
Attribute value: 20034567
I tried below Resource assignment expression formats (advance) in Advace resouce assignment but no luck.
1) session.saml.last.attr.name.exter.extactivitycenter== 20034567
2)expr {[mcget {session.saml.last.attr.name.exter.extactivitycenter}] == 20034567}
3)expr { [mcget {session.saml.last.attr.name.exter.extactivitycenter}] contains "20034567" }
Please guide me to use correct expression format to assign dymanic resources ( Network access profile, ACL, webtop).
Thanks,
RKram
21-Apr-2022 09:43
Hello rkram_p
Maybe with this expression:
expr {[mcget {session.saml.last.attr.name.exter.extactivitycenter}] eq "20034567"}
But I would say that your syntax is valid. Please, could you check your user variables to verify that both values exist?
One easy way to check this is to use a message box before ending the policy evaluation. At this precise moment, check the variables to confirm that both values exist
11-May-2022 01:15
Thank you for your suggestion.
This value we got it from user access session. (SAML response).
do you think, can we add variable agent post successful SAML response and log that variable as a custom one and use that condition in adv resource.?
-RKRam
11-May-2022 23:46
You can easily do it with an iRule
https://clouddocs.f5.com/api/irules/ACCESS_POLICY_AGENT_EVENT.html
https://clouddocs.f5.com/api/irules/ACCESS__saml.html
Btw, if any of my answers was helpful, I would appreciate if you give me some thumbs up or mark the question as resolved. Thanks.