Forum Discussion

Spider's avatar
Spider
Icon for Nimbostratus rankNimbostratus
Jan 12, 2022

APM SAML group attribute

Hi, I am trying to match on Azure AD group attribute in the APM access policy but i don't get it to work, the APM is acting as SAML SP.

I'm getting the attribute in the access reports -> variables and I can also print it out using an irule so just wondering

if someone has a clue to how I should construct the expression to work in the access policy ?

 

The current Expression in the access policy looks like this: (not working)

expr { [ mcget { session.saml.last.attr.name.http://schemas.microsoft.com/ws/2008/06/identity/claims/groups } ] equals "<group-id-string>" }

 

 

The irule looks like this:

when HTTP_REQUEST {

  set username [ACCESS::session data get "session.saml.last.identity"]

  set group [ACCESS::session data get "session.saml.last.attr.name.http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"]

  log local0. "User: $username Group: $group"

}

 

Thanks

2 Replies

  • Just tested something similar and you expression seems right. I didn't receive a group attribute, so I tested with another attribute.

     

    Here is the Empty Agent I created:

     

  • Spider's avatar
    Spider
    Icon for Nimbostratus rankNimbostratus

    Hi again, thanks for the response. I got this to work now, seems to have been a matter of whitespace, this works now using the expression:

    expr {[mcget {session.saml.last.attr.name.http://schemas.microsoft.com/ws/ 2008/06/identity/claims/groups}] equals "<group-id-number>"}

     

    I'm using the same structure as you are now, that seems to do the trick. :)