We are using the following iRule to include SamAccountName header:

when ACCESS_ACL_ALLOWED {

#Add Username as a Session Variable to be called below

if { [ACCESS::session data get session.saml.last.result] == 1 } {

set name [ACCESS::session data get "session.saml.last.attr.name.SamAccountName"]

HTTP::header insert SamAccountName "$name"

HTTP::header insert WL-Proxy-Client-IP [IP::client_addr]

}

Application owners have discovered the SamAccountName can be modified in the header and the user logging in will be different.

We are looking for a solution to write an iRule that would strip out the initial SamAccountName header information and replace it.