Forum Discussion

Squeak_117117's avatar
Squeak_117117
Icon for Nimbostratus rankNimbostratus
May 02, 2019

Map SAML variable value to a specific user attribute.

Hello,

 

I´m currently working on a setup that the users have to authenticate with external SAML IDP to access a webtop with some Portal access resources.

 

The problem I´m facing are that I have to map a SAML variable that I receive from the external IDP with a user attribute from the local AD.

 

My VPE looks like this.

 

SAML auth -> Variable assign -> AD query -> SSO

 

The Variable assign converts the SAML variable to session.logon.last.username.

 

My question are how do I map the SAML variable value to a specific user in the AD?

 

Thanks in advance.

 

application delivery
BIG-IP Access Policy Manager (APM)
  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    May 02, 2019

    Not sure if this is an answer to your question, but with the Variable Assign agent you will fill the 

    session.logon.last.username
    session variable with the content of a 
    session.saml
    session variable, for example 
    session.saml.last.identity
    . Then you will use the AD Query agent to perform an AD query like 
    (sAMAccountName=%{session.logon.last.username})
    and fetch the AD attributes you need for this user.

    It could also be that the IDP sends the e-mail address of the user, and you'll need to do a query on the AD using the e-mail address, to resolve the SAMAccountName. Either way you'll need some unique identifier that the IDP passes as an SAML attribute that helps you identify the user in your AD.

  • Sajid's avatar
    Sajid
    Icon for Cirrostratus rankCirrostratus
    May 21, 2019

    In version 12.1.2

     

    Access Policy > SAML > Local IdP Services >

     

    select your IdP Service and edit

     

    Under Edit IdP Service > SAML Attributes

     

    Click on Add

    Name of the SAML attribute

     

    Under Attribute Value (s) click Add and entry AD attribute value as

     

    %{session.logon.last.logonname} as an example

     

    Click OK