I have a requirement to send user "roles" based on AD group membership and add these roles as multiple values to a single SAML attribute.
Currently we have all roles in a single string separated by a "|" and put into a session variable which is then applied to a SAML attribute but we need to split the roles out to be applied as multiple values of the same attribute. I need to know if it's possible to manipulate SAML attributes in an iRule. I couldn't find anything in the docs.
How about using: https://clouddocs.f5.com/api/irules/ACCESS__saml.html
I am confused as to what you mean by "multiple values of the same attribute". It seems that you are currently doing that by using an attribute and using a separator
I know I can use 'ACCESS::saml assertion' to send a completely custom assertion but I'd like to avoid it if possible.
Have a look at the attached screen shot for what I mean by multiple values. You are able to add multiple values to a single attribute so the resulting assertion will look something like the snippet below. So rather than adding a delimited string to a single value I want to split it out to multiple values but there doesn't seem to be a way to do that programmatically.
I hope that makes sense.
<saml2:AttributeStatement> <saml2:Attribute xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" Name="portalRole" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">SM1</saml2:AttributeValue> <saml2:AttributeValue xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">SM2</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement>