Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Get/log APM SAML session attributes?

patonbike
Cirrus
Cirrus

Is there a way to list all of the session variables or attributes?

 

 

 

For example

ACCESS::session data get "session.saml.last.attr.name.<attribute_name>"

What if I do not know what attributes are being asserted to me as the Service provider (SP)?

 

 

 

 

5 REPLIES 5

Dan_E
Altostratus
Altostratus

Hi,

I think the question needs some more information.

Are you trying to log these at the IdP or at the SP?

I assume that the F5 has a virtual server with APM attached as the IdP?

An application that is behind an F5 virtual server but using SAML to auth with the IdP, you will not be able to use the iRule command that you mentioned in your question as the virtual server doesn't have an Access Policy attached.

Sorry I will try to clarify. We are acting as the SP. We're receiving an assertion from the IdP. I don't know exactly what attributes are being passed over from the IdP. I'd like to send these values back to our pool members in an HTTP header (which will be encrypted). I'm wondering if there is some way to just dump the whole assertion to APM log or something temporarily, so I can look at it and then determine which attributes to send back to the pool members via headers.

 

This is the article which deals in sending SAML attributes to pool members through headers:

https://support.f5.com/csp/article/K00379500

 

I saw this, which seems like it might be what I want to see, but it is only for v14, we are running v12 right now:

ACCESS::saml assertion

 

 

Hi, I haven't done much with F5 as the SP. That command does look like what you want, may need to ask F5 support what you can use in v12.

Seems like they should be getting logged under:

Access policy -> Event logs -> Access system logs -> Session reports -> All sessions -> View Session Variables and then expanding down into:

session.saml.last.attr.NAME

 

It might be that they're not getting passed over yet and that is why I am not seeing them. There's a whole slew of stuff there, just no attributes.

 

I'll update when I figure it out.

 

Wondering if you managed to figure it yet? please share.