Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Get/log APM SAML session attributes?

patonbike
Cirrus
Cirrus

‎10-Aug-2020 16:50

Is there a way to list all of the session variables or attributes?

 

 

 

For example

ACCESS::session data get "session.saml.last.attr.name.<attribute_name>"

What if I do not know what attributes are being asserted to me as the Service provider (SP)?

 

 

 

 

Labels:
0 Kudos
5 REPLIES 5

Dan_E
Altostratus
Altostratus

‎10-Aug-2020 20:08

Hi,

I think the question needs some more information.

Are you trying to log these at the IdP or at the SP?

I assume that the F5 has a virtual server with APM attached as the IdP?

An application that is behind an F5 virtual server but using SAML to auth with the IdP, you will not be able to use the iRule command that you mentioned in your question as the virtual server doesn't have an Access Policy attached.

0 Kudos

patonbike
Cirrus
Cirrus
In response to Dan_E

‎11-Aug-2020 09:07

Sorry I will try to clarify. We are acting as the SP. We're receiving an assertion from the IdP. I don't know exactly what attributes are being passed over from the IdP. I'd like to send these values back to our pool members in an HTTP header (which will be encrypted). I'm wondering if there is some way to just dump the whole assertion to APM log or something temporarily, so I can look at it and then determine which attributes to send back to the pool members via headers.

 

This is the article which deals in sending SAML attributes to pool members through headers:

https://support.f5.com/csp/article/K00379500

 

I saw this, which seems like it might be what I want to see, but it is only for v14, we are running v12 right now:

ACCESS::saml assertion

 

 

0 Kudos

Dan_E
Altostratus
Altostratus
In response to patonbike

‎11-Aug-2020 16:01

Hi, I haven't done much with F5 as the SP. That command does look like what you want, may need to ask F5 support what you can use in v12.

0 Kudos

patonbike
Cirrus
Cirrus
In response to patonbike

‎12-Aug-2020 09:41

Seems like they should be getting logged under:

Access policy -> Event logs -> Access system logs -> Session reports -> All sessions -> View Session Variables and then expanding down into:

session.saml.last.attr.NAME

 

It might be that they're not getting passed over yet and that is why I am not seeing them. There's a whole slew of stuff there, just no attributes.

 

I'll update when I figure it out.

 

0 Kudos

mannymekala
Nimbostratus
Nimbostratus
In response to patonbike

‎28-Dec-2022 20:23

Wondering if you managed to figure it yet? please share.

0 Kudos
Copyright © 2023 Khoros, LLC