I have F5 APM configured to act as an IDP. The SP I am working with is expecting the SAML IDP to pass them a claim containing not just identity information, but also workflow information. So for example, the attributes in the claim I am passing them need to include these kinds of things:
Information about who the user is (unchanging)
The action the user wants to take on the system, ie - what I want the SP to do. (This can change with each request)
The SP is a fairly transactional system, and it wants me to pass it a new claim every time the user needs to do something. So for example, the first claim I might send would have attributes saying "This is user A, take action A." Then the user might want to do something else, so I'd have to pass in another claim, saying "This is user A, take action B."
The problem is, APM (version 126.96.36.199) doesn't seem to be working that way. For example, my IDP configuration is set up to pull from a custom "action" session variable I have in the policy. It does that perfectly the for the first claim I generate. But when I try to generate the second claim, it doesn't update the action. Even though I successfuly update the underlying session variable, and looking at the session variables in the report viewer shows it is updated to "Action B", APM does not regenerate the claim. It simply sends over the exact same claim information it created earlier, which has "action A" in it. So the SP will do "action A" again. Does anyone know how to force it to regenerate a claim?
PS - I am not looking for answers that say "you shouldn't use SAML that way." I understand that this is incorrect usage of the protocol. Claims are supposed to be for identity information only, and workflow information should be passed in via REST calls after authentication, or through some similar mechanism. But I don't control the SP. It's a fairly large commercial SaaS platform. So I have to find a way to work with what I have, whether it's "right" or not.