cancel
Showing results for 
Search instead for 
Did you mean: 

APM SAML group attribute

Spider
Nimbostratus
Nimbostratus

Hi, I am trying to match on Azure AD group attribute in the APM access policy but i don't get it to work, the APM is acting as SAML SP.

I'm getting the attribute in the access reports -> variables and I can also print it out using an irule so just wondering

if someone has a clue to how I should construct the expression to work in the access policy ?

 

The current Expression in the access policy looks like this: (not working)

expr { [ mcget { session.saml.last.attr.name.http://schemas.microsoft.com/ws/2008/06/identity/claims/groups } ] equals "<group-id-string>" }

 

 

The irule looks like this:

when HTTP_REQUEST {

  set username [ACCESS::session data get "session.saml.last.identity"]

  set group [ACCESS::session data get "session.saml.last.attr.name.http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"]

  log local0. "User: $username Group: $group"

}

 

Thanks

2 REPLIES 2

Just tested something similar and you expression seems right. I didn't receive a group attribute, so I tested with another attribute.

 

Here is the Empty Agent I created:

 

0691T00000F940rQAB.png

Spider
Nimbostratus
Nimbostratus

Hi again, thanks for the response. I got this to work now, seems to have been a matter of whitespace, this works now using the expression:

expr {[mcget {session.saml.last.attr.name.http://schemas.microsoft.com/ws/ 2008/06/identity/claims/groups}] equals "<group-id-number>"}

 

I'm using the same structure as you are now, that seems to do the trick. :)